Learn about Policies
Learn about the policies available for use in NGINX Management Suite API Connectivity Manager.
This documentation applies to NGINX Management Suite API Connectivity Manager 1.1.0 and later.
Overview
This page gives an overview of the available policies in API Connectivity Manager (ACM). Policies allow you to protect and secure your services and their data.
Policy Types
There are two types of policies for API Connectivity Manager:
| Policy Type | Description |
|---|---|
| Global policies | Global policies, typically managed by an Enterprise Security or Support team, are onboarded as a one-time task when onboarding an API. Global policies are enforced for all of the APIs in an environment. |
| API proxy policies | When onboarding APIs to API Connectivity Manager, API owners define API-level policies to enforce security and behavior characteristics for their APIs. |
Global Policies
Global policies are enforced for all of the APIs in an environment. Global policies are commonly prescribed by an Enterprise Security or Support team; the Security or Support team decides if API owners can edit the global policies.
The following table shows the available Global Policies you can use when creating a new cluster.
Legend:
- = Supported
- = Not supported
- = Applied by default
| Policy Name | HTTP Environment | gRPC Environment | Applied On | Description |
|---|---|---|---|---|
| Error Response Format | Outbound | Configure the Error Response Format policy to customize the HTTP error codes and error messages. | ||
| Log Format | Outbound | Use the Log Format global policy to generate detailed access logs in JSON (default) or syslog format. Among the settings you can select, use the filter to fine-tune what gets logged, set the log destination, and adjust the log severity level to specify the type of errors to log. | ||
| OpenID Connect Relying Party | Inbound | Secure access to your APIs with an OpenID Connect (OIDC) policy. This policy configures the API gateway proxy as a relying party for authenticating users with an OIDC provider. | ||
| Proxy Response Headers | Inbound | Customize the Proxy Response Headers policy to include or exclude headers in the proxy response. By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code. You can also add custom headers and values to include in the response. | ||
| Request Body Size Limit | Inbound | Prevent Denial-of-Service (DoS) and other types of attacks by limiting the request body size. Customize the policy to configure the max payload size the API gateway proxy cluster can accept; the default limit is 1 MB. The API gateway proxy blocks requests exceeding the limit, while returning the configured error code. Set the max size to 0 to disable checking the request body size. | ||
| Request Correlation ID | Inbound | Apply the Correlation ID policy to add a unique identifier to each request entering the application. You can use this unique ID to trace end-to-end transactions moving through components in a distributed system. The policy uses x-correlation-id as the default HTTP header name, or you can provide a custom header value. |
||
| TLS Backend | Backend | Secure the communication between the API gateway proxy and the backend API service by enabling and customizing the TLS backend policy. When mTLS is enabled, the API gateway proxy identifies itself to the backend service using an SSL client certificate. | ||
| TLS Inbound | Inbound | Secure inbound connections with the TLS inbound policy. Enable mTLS for secure bidirectional communication. |
API Proxy Policies
Apply API gateway proxy policies to enhance the experience of your APIs.
The following table shows the available API Proxy Policies you can use when creating an API gateway.
Legend:
- = Supported
- = Not supported
- = Applied by default
| Policy Name | HTTP Proxy | gRPC Proxy | Applied On | Description |
|---|---|---|---|---|
| Access Control Routing | Inbound | Restrict access to your application servers based on JWT claims or header values. | ||
| ACL Consumer Restriction | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain consumers client IDs or authenticated JWT claims. | ||
| ACL IP Restriction | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks | ||
| Allowed HTTP Methods | Inbound | Restrict access to specific request methods and set a custom response code for non-matching requests. | ||
| APIKey Authentication | Inbound | Secure the API gateway proxy by adding an API key. | ||
| Backend Config | Inbound | Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource usage. | ||
| Backend Health Check | Backend | Perform regular health checks to the backend API service to avoid and recover from server issues. Customize the policy with your desired thresholds. | ||
| Basic Authentication | Inbound | Restrict access to APIs by requiring a username and password. | ||
| CORS | Inbound | Configure cross-origin resource sharing (CORS) to control resource access from outside domains. | ||
| JSON Web Token Assertion | Inbound | Secure your API gateway proxy with JSON web token verification. | ||
| OAuth2 Token Introspection | Inbound | Secure your API gateway proxy with OAuth2 Tokens. | ||
| Proxy Cache | Outbound | Enable and configure caching to improve the performance of your API gateway proxy. | ||
| Proxy Request Headers | Backend | Configure the headers to pass to the backend API service. | ||
| Rate Limit | Inbound | Add rate limits to limit incoming requests and secure API workloads. |