Learn about Policies

Learn about the policies available for use in NGINX Management Suite API Connectivity Manager.

This documentation applies to NGINX Management Suite API Connectivity Manager 1.1.0 and later.


This page gives an overview of the available policies in API Connectivity Manager (ACM). Policies allow you to protect and secure your services and their data.

Policy Types

There are two types of policies for API Connectivity Manager:

Policy Type Description
Global policies Global policies, typically managed by an Enterprise Security or Support team, are onboarded as a one-time task when onboarding an API. Global policies are enforced for all of the APIs in an environment.
API proxy policies When onboarding APIs to API Connectivity Manager, API owners define API-level policies to enforce security and behavior characteristics for their APIs.

Global Policies

Global policies are enforced for all of the APIs in an environment. Global policies are commonly prescribed by an Enterprise Security or Support team; the Security or Support team decides if API owners can edit the global policies.

Policy Name Default Policy Applied On Description
Error Response Format Outbound

Configure the Error Response Format policy to customize the HTTP error codes and error messages.

Log format Outbound

Use the Log Format global policy to generate detailed access logs in JSON (default) or syslog format.

Among the settings you can select, use the filter to fine-tune what gets logged, set the log destination, and adjust the log severity level to specify the type of errors to log.

OpenID Connect Relying Party Inbound

Secure access to your APIs with an OpenID Connect (OIDC) policy. This policy configures the API gateway proxy as a relying party for authenticating users with an OIDC provider.

Proxy Response Headers Inbound

Customize the Proxy Response Headers policy to include or exclude headers in the proxy response.

By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code.

You can also add custom headers and values to include in the response.

Request Body Size Limit Inbound

Prevent Denial-of-Service (DoS) and other types of attacks by limiting the request body size.

Customize the policy to configure the max payload size the API gateway proxy cluster can accept; the default limit is 1 MB. The API gateway proxy blocks requests exceeding the limit, while returning the configured error code. Set the max size to 0 to disable checking the request body size.

Request Correlation ID Inbound

Apply the Correlation ID policy to add a unique identifier to each request entering the application. You can use this unique ID to trace end-to-end transactions moving through components in a distributed system.

The policy uses x-correlation-id as the default HTTP header name, or you can provide a custom header value.

TLS Backend Backend

Secure the communication between the API gateway proxy and the backend API service by enabling and customizing the TLS backend policy.

When mTLS is enabled, the API gateway proxy identifies itself to the backend service using an SSL client certificate.

TLS Inbound Inbound

Secure inbound connections with the TLS inbound policy.

Enable mTLS for secure bidirectional communication.

API Proxy Policies

Apply API gateway proxy policies to enhance the experience of your APIs.

Policy Name Applied On Description
ACL-IP Inbound Protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks
Allowed HTTP Methods Inbound Restrict access to specific request methods and set a custom response code for non-matching requests.
APIKey Authentication Inbound Secure the API gateway proxy by adding an API key.
Backend Config Inbound Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource use.
Backend Health Check Backend Perform regular health checks to the backend API service to avoid and recover from server issues. Customize the policy with your desired thresholds.
Basic Authentication Inbound Restrict access to APIs by requiring a username and password.
CORS Inbound Configure cross-origin resource sharing (CORS) to control resource access from outside domains.
JSON Web Token Assertion Inbound Secure your API gateway proxy with JSON web token verification.
OAuth2 Token Introspection Inbound Secure your API gateway proxy with OAuth2 Tokens.
Proxy Cache Outbound Enable and configure caching to improve the performance of your API gateway proxy.
Proxy Request Headers Backend Configure the headers to pass to the backend API service.
Rate Limit Inbound Add rate limits to limit incoming requests and secure API workloads.