Learn about Policies
Learn about the policies available for use in NGINX Management Suite API Connectivity Manager.
Overview
This page gives an overview of the available policies in API Connectivity Manager (ACM). Policies allow you to protect and secure your services and their data.
Policy Types
There are two types of policies for API Connectivity Manager:
Policy Type | Description |
---|---|
Global policies | Global policies, typically managed by an Enterprise Security or Support team, are onboarded as a one-time task when onboarding an API. Global policies are enforced for all of the APIs in an environment. |
API proxy policies | When onboarding APIs to API Connectivity Manager, API owners define API-level policies to enforce security and behavior characteristics for their APIs. |
Global Policies
Global policies are enforced for all of the APIs in an environment. Global policies are commonly prescribed by an Enterprise Security or Support team; the Security or Support team decides if API owners can edit the global policies.
Policy Name | Default Policy | Applied On | Description |
---|---|---|---|
Error Response Format | Outbound | Configure the Error Response Format policy to customize the HTTP error codes and error messages. |
|
Log format | Outbound | Use the Log Format global policy to generate detailed access logs in JSON (default) or syslog format. Among the settings you can select, use the filter to fine-tune what gets logged, set the log destination, and adjust the log severity level to specify the type of errors to log. |
|
OpenID Connect Relying Party | Inbound | Secure access to your APIs with an OpenID Connect (OIDC) policy. This policy configures the API gateway proxy as a relying party for authenticating users with an OIDC provider. |
|
Proxy Response Headers | Inbound | Customize the Proxy Response Headers policy to include or exclude headers in the proxy response. By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code. You can also add custom headers and values to include in the response. |
|
Request Body Size Limit | Inbound | Prevent Denial-of-Service (DoS) and other types of attacks by limiting the request body size. Customize the policy to configure the max payload size the API gateway proxy cluster can accept; the default limit is 1 MB. The API gateway proxy blocks requests exceeding the limit, while returning the configured error code. Set the max size to 0 to disable checking the request body size. |
|
Request Correlation ID | Inbound | Apply the Correlation ID policy to add a unique identifier to each request entering the application. You can use this unique ID to trace end-to-end transactions moving through components in a distributed system. The policy uses |
|
TLS Backend | Backend | Secure the communication between the API gateway proxy and the backend API service by enabling and customizing the TLS backend policy. When mTLS is enabled, the API gateway proxy identifies itself to the backend service using an SSL client certificate. |
|
TLS Inbound | Inbound | Secure inbound connections with the TLS inbound policy. Enable mTLS for secure bidirectional communication. |
API Proxy Policies
Apply API gateway proxy policies to enhance the experience of your APIs.
Policy Name | Applied On | Description |
---|---|---|
Allowed HTTP Methods | Inbound | Restrict access to specific request methods and set a custom response code for non-matching requests. |
APIKey Authentication | Inbound | Secure the API gateway proxy by adding an API key. |
Backend Config | Inbound | Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource use. |
Backend Health Check | Backend | Perform regular health checks to the backend API service to avoid and recover from server issues. Customize the policy with your desired thresholds. |
Basic Authentication | Inbound | Restrict access to APIs by requiring a username and password. |
CORS | Inbound | Configure cross-origin resource sharing (CORS) to control resource access from outside domains. |
JSON Web Token Assertion | Inbound | Secure your API gateway proxy with JSON web token verification. |
Proxy Cache | Outbound | Enable and configure caching to improve the performance of your API gateway proxy. |
Proxy Request Headers | Backend | Configure the headers to pass to the backend API service. |
Rate Limit | Inbound | Add rate limits to limit incoming requests and secure API workloads. |