End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

HTTP Backend Configuration

Learn how to use the F5 NGINX Management Suite API Connectivity Manager to manage HTTP API Gateways by applying a backend configuration policy.

Overview

In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.

Policies added at the proxy level are applied to all routes within that proxy.

For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.

About the Backend Configuration Policy

The backend configuration policy allows API Owners to manage their backend services with a common set of configuration options. These configuration options are applied to all service targets in a given backend service.

The backend configuration policy provides the ability to configure:

Load balancing
Keep-Alive connections
Connection settings
Queues
Buffers
Session Cookies
NTLM Authentication

Later sections of this guide will cover each of these areas in turn.

Intended Audience

This guide is intended for API Owners — the individuals or teams who are responsible for designing, creating, and maintaining APIs.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

API Connectivity Manager is installed, licensed, and running.
You have one or more Environments with an API Gateway.
You have published one or more API Gateways

Workflow for Applying Policy

To apply the policy or make changes to it, here’s what you need to do:

Edit an existing environment or create a new one.
Check the advanced settings for the environment to see if the policy has been applied.
Edit the policy to make changes for each environment. Save and publish the changes.

Target Backend Service

It is possible to target specific backend services with a backend configuration policy through the use of labels. Backend services whose label matches that configured in the backend configuration policy target backend policy label will have that configuration applied. If no target backend policy label is provided, the backend configuration policy will be applied to all backend services with the label is set as default.

Configuring Target Backend Service

Take the steps in this section to configure a backend configuration policy for specific backend service targets by label. In the example below, the backend configuration policy keepalive settings will be applied to all backend service targets with the petstore-api label.

Send a POST request to add a load balancer configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies": {
      "backend-config": [
         {
            "action": {
               "targetBackendPolicyLabel" : "petstore-api",
               "keepCacheConnectionAlive": 32,
               "keepAliveRequests": 1000,
               "keepAliveTime": "1h",
               "keepAliveTimeout": "60s"
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`targetBackendPolicyLabel`	string	Example: `petstore-api`	Target backend labels for policy application. If not supplied this backend service configuration would be applied to the default backend service of the API proxy.	No	`default`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
To apply the backend configuration policy to backend service targets, set the Target Backend Policy Label as the label of the backend service targets.
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Load Balancing

Six load balancing options are available; round robin (default), least connections, least response time, hashed key value, IP hash, or random.

Balancing Algorithms

Round Robin

This algorithm distributes requests to the application in a round-robin fashion to each backend service target in equal and circular order. As the default load balancing algorithm, it applies to all upstream server blocks containing backend service targets.

Least Connections

This algorithm distributes requests to the server with the least number of active connections. If there are several servers, they are tried sequentially using the round-robin balancing method.

Least Time

Note:
This load balancing algorithm is available as part of the F5 NGINX Plus commercial subscription.

This algorithm distributes requests to the server with the least average response time and least number of active connections. If there are several servers, they are tried sequentially using the round-robin balancing method.

If the HEADER measurement is specified, the time to receive the response header is used. If the LAST_BYTE measurement is specified, the time to receive the full response is used. If the LAST_BYTE_INFLIGHT parameter is specified, incomplete requests are also considered.

Hash

This algorithm distributes requests with client-server mapping based on the hashed key value. The key can contain text, variables, and their combinations. Note that adding or removing a server from the group may result in remapping most of the keys to different servers. The method is compatible with the Cache::Memcached Perl library.

If the consistent parameter is specified, the ketama consistent hashing method will be used instead. The method ensures that only a few keys will be remapped to different servers when a server is added to or removed from the group. This helps to achieve a higher cache hit ratio for caching servers. The method is compatible with the Cache::Memcached::Fast Perl library with the ketama_points parameter set to 160.

IP Hash

This algorithm distributes requests between servers based on client IP addresses. The first three octets of a client’s IPv4 address, or an entire IPv6 address are used as a hashing key, ensuring that requests from the same client will always be passed to the same server except when the server is unavailable. In the latter case, client requests will be passed to another server. Most probably, it will always be the same server as well.

If one of the servers needs to be temporarily removed, it should be marked with the down parameter to preserve the current hashing of client IP addresses.

Configuring a Load Balancer

Follow the steps in this section to configure request load balancing across backend service targets.

Send a POST request to add a load balancer configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies": {
      "backend-config": [
         {
            "action": {
               "loadBalancing": {
                  "algorithm": "ROUND_ROBIN",
                  "leastTimeMeasurement": "HEADER",
                  "hashKey": "$request_uri",
                  "consistentHashing": true,
                  "randomTwo": true,
                  "randomMethod": "LEAST_CONN"
               }
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`algorithm`	string	One of: [`ROUND_ROBIN`, `LEAST_CONN`, `LEAST_TIME`, `HASH`, `IP_HASH`, `RANDOM`]	The load balancing algorithm to use. Default `ROUND_ROBIN` is used without any configuration.	No	`ROUND_ROBIN`
`leastTimeMeasurement`	string	One of: [`HEADER`, `LAST_BYTE`, `LAST_BYTE_INFLIGHT`]	Optional configuration option for `LEAST_TIME` algorithm. The measurement used to determine `LEAST_TIME`.	No	`HEADER`
`hashKey`	string	Text, variables, and their combinations.	Required configuration option for `HASH` algorithm. Example: `$request_uri`	Semi-optional	N/A
`consistentHashing`	boolean	`true/false`	Optional configuration option for `HASH` algorithm. Uses ketama consistent hashing method.	No	`true`
`randomTwo`	boolean	`true/false`	Optional configuration option for `RANDOM` algorithm. Instructs NGINX to randomly select two servers and then choose a server using the specified `randomMethod`.	No	`true`
`randomMethod`	string	One of: [`LEAST_CONN`, `LEAST_TIME`, `LAST_TIME_HEADER`, `LEAST_TIME_LAST_BYTE`]	Optional configuration option for `RANDOM` algorithm. Specifies which load balancing algorithm to use for a randomly selected server.	No	`LEAST_CONN`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
To enable a load balancer other than the default round-robin, enable the toggle for Add an alternate load balancer.
Select your Load Balancing Algorithm from the drop-down menu.
- For LEAST_TIME define the Least Time Measurement
- For HASH define the Hash Key and if Consistent Hashing is required.
- For RANDOM set if Random Two should be used and the Random Method load balancing algorithm.
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Keep-Alive Connections

HTTP keepalive (persistent) connections [RFC-2068] are a necessary performance feature that reduce latency and allow web pages to load faster. HTTP uses a mechanism called keepalive connections to hold open the TCP connection between the client and the server after an HTTP transaction has completed. If the client needs to conduct another HTTP transaction, it can use the idle keepalive connection rather than creating a new TCP connection.

If lots of clients use HTTP keepalives and the web server has a concurrency limit or scalability problem, then performance plummets once that limit is reached. It does not take many clients to exhaust the concurrency limit in many contemporary web and application servers and any thread‑ or process‑based web or application server is vulnerable to concurrency limitations.

NGINX uses a different architecture that does not suffer from the concurrency problems described above. It transforms slow client connections to optimized benchmark‑like connections to extract the best performance from your servers. This allows each NGINX process to easily scale to tens, thousands, or hundreds of thousands of connections simultaneously.

Configuring Keep-Alive Connections

Follow the steps in this section to configure HTTP keepalives for your backend service targets.

Send a POST request to add a keepalive connection configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "keepCacheConnectionAlive": 32,
               "keepAliveRequests": 1000,
               "keepAliveTime": "1h",
               "keepAliveTimeout": "60s"
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`keepCacheConnectionAlive`	integer	integer >= `1`	Activates the cache for connections to upstream servers. Sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. When this number is exceeded, the least recently used connections are closed.	No	`32`
`keepAliveRequests`	integer	integer >= `1`	Sets the maximum number of requests that can be served through one keepalive connection.	No	`1000`
`keepAliveTime`	string	Example: `1h`	Limits the maximum time during which requests can be processed through one keepalive connection. Follows NGINX configuration time measurement units syntax.	No	`1h`
`keepAliveTimeout`	string	Example: `60s`	Sets a timeout during which an idle keepalive connection to an upstream server will stay open. Follows NGINX configuration time measurement units syntax.	No	`60s`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Keep-Alive Connection Settings section.
If non-default values are required, enter configuration values for:
- Keep-Alive Max Cache Connections Alive
- Keep-Alive Requests
- Keep-Alive Time
- Keep-Alive Timeout
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Connection Settings

The connection settings can be configured for maximum client request body size, establishing a connection timeout, maximum time for reading a response from the proxied server, or maximum time transmitting a request to the proxied server.

Client Max Body Size

Sets the maximum allowed size of the client request body. If the size of a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client.

Connect Timeout

Defines a timeout for establishing a connection with a proxied server. Please note that this timeout cannot usually exceed 75 seconds.

Read Timeout

Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. The connection is closed if the proxied server does not transmit anything within this time.

Send Timeout

Sets a timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. The connection is closed if the proxied server does not receive anything within this time.

Configuring Connection Settings

This section explains how to configure connection settings for your backend service targets.

Send a POST request to add request settings configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "clientMaxBodySize" : "2m",
               "connectTimeout": "30s",
               "readTimeout": "30s",
               "sendTimeout": "30s"
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`clientMaxBodySize`	string	Example: `2m`	Sets the maximum allowed size of the client request body. Follows NGINX configuration file measurement units syntax.	No	N/A
`connectTimeout`	string	Example: `30s`	Sets a timeout for establishing a connection with a proxied server. Follows NGINX configuration time measurement units syntax.	No	N/A
`readTimeout`	string	Example: `30s`	Sets a timeout for reading a response from the proxied server. Follows NGINX configuration time measurement units syntax.	No	N/A
`sendTimeout`	string	Example: `30s`	Sets a timeout for transmitting a request to the proxied server. Follows NGINX configuration time measurement units syntax.	No	N/A

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Connection Settings section.
If non-default values are required, enter configuration values for:
- Connect Timeout
- Read Timeout
- Send Timeout
- Client Max Body Size
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Queues

If an upstream server cannot be selected immediately while processing a request, the request will be placed into the queue. The queue configuration specifies the maximum number of requests that can be in the queue simultaneously. If the queue is filled up, or the server to pass the request to cannot be selected within the time period specified in the timeout parameter, the 502 (Bad Gateway) error will be returned to the client.

Configuring a Queue

Follow the steps in this section to configure a queue for your backend service targets.

Send a POST request to add a queue configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "queue" : {
                  "maxNumberOfRequests": 10,
                  "timeOut": "60s"
               }
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`maxNumberOfRequests`	integer	Example: `10`	Maximum number of requests that can be in the queue at the same time. If not set then no queue will be configured.	Yes	N/A
`timeout`	string	Example: `60s`	Sets a timeout for establishing a connection with a proxied server. Follows NGINX configuration time measurement units syntax.	No	`60s`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Queue Settings section.
To configure a queue, enable the toggle for Add a queue.
- Set the Maximum number of requests (required).
- Set the **Queue timeout" (default 60s).
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Buffers

See Also:
See the Module ngx_http_proxy_module topic for more information about the directives mentioned in this section.

When buffering is enabled, NGINX receives a response from the proxied server as soon as possible, saving it into the buffers set by the proxy_buffer_size and proxy_buffers directives.

Depending on the operating system, the proxy_buffer_size directive is 4 KB or 8 KB. This directive sets the buffer size for reading the first part of the response received from the proxied server. This part usually contains a small response header. By default, the buffer size is equal to one memory page.
The proxy_buffers directive controls the size and the number of buffers allocated for a request. Increasing the number of buffers lets you buffer more information.

If the complete response doesn’t fit into memory, a part can be saved to a temporary file on the disk. The default max size of this temporary file is 1024 MB, and the default write size is 8 KB or 16 KB, depending on the operating system.

When configuring proxy buffers, the total size of the proxy_buffers (number * size) must be greater than the size of the proxy_busy_buffers_size minus one buffer. The default proxy_busy_buffers_size is 8 KB or 16 KB, depending on the operating system.

If you get the error [emerg] \"proxy_busy_buffers_size\" must be less than the size of all \"proxy_buffers\" minus one buffer in NGINX in the data plane, it is because the proxy buffer total number and size are configured incorrectly.

Examples

Example valid Proxy Buffers number and size

proxy busy buffers size : 16 KB
proxy buffer number     : 8
proxy buffer size       : 4 KB
total buffer size       : 32 KB

busy_buffers_size < total buffer size - buffer
16 KB < 32 KB - 4 KB
16 KB < 28 KB
True: Valid proxy buffer number & size configuration

Example invalid proxy buffers number and size

proxy busy buffers size : 16 KB
proxy buffer number     : 2
proxy buffer size       : 2k
total buffer size       : 8 KB

busy_buffers < total buffer size - buffer
16 KB < 8 KB - 2k
16 KB < 6k
False: Invalid proxy buffer number & size configuration

Tuning Proxy Buffers Number and Size

When using proxy buffering, we recommend that the complete response from upstream can be held in memory to avoid reading or writing to disk, which is significantly slower.

If the response from upstream arrives fast and the client is slower, NGINX preserves the response in buffers, allowing it to close the upstream connection quickly.

If the allocated buffer size doesn’t allow storing the complete response in memory, it will be stored on disk, which is slower.

Fine-tuning the proxy_buffers number and size depends on the body response size of your application.

To determine the size of the HTML/data returned by a resource, you can use the following command:

curl -so /dev/null https://nginx.org/ -w '%{size_download}'

Set proxy_buffers in a way that it equals the total maximum size of response data.

For example, if the uncompressed body size is 8955 bytes (72 KB), you must set 72 KB worth of buffer size, either 18 4-KB-sized buffers or 9 8-KB-sized buffers.

Configuring Buffers

Follow the steps in this section to configure buffers for your backend service targets.

Send a POST request to add a buffer configuration to the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "buffer": {
                  "number": 42,
                  "size": "16KB"
               }
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`number`	integer	integer >= `2`	Sets the number of buffers used for reading a response from the proxied server for a single connection.	Yes	N/A
`size`	string	size >= `1K`	Sets the size of the buffers used for reading a response from the proxied server for a single connection. Follows NGINX configuration file measurement units syntax.	Yes	`60s`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Buffer Settings section.
To configure a queue, enable the toggle for Add a buffer.
- Set the Number of buffers (required).
- Set the Buffer size (required).
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Session Cookies

Enables session affinity, which causes requests from the same client to be passed to the same server in a group of servers. With the cookie method used, information about the designated server is passed in an HTTP cookie generated by NGINX.

A request from a client not yet bound to a particular server is passed to the server selected by the configured balancing method. Further requests with this cookie will be passed to the designated server. If the designated server cannot process a request, the new server is selected as if the client has not been bound yet.

As a load balancing method always tries to evenly distribute the load considering already bound requests, the server with a higher number of active bound requests has less possibility of getting new unbound requests.

Configuring Session Cookies

Folow the steps in this section to configure session cookies for your backend service targets.

Send a POST request to add a session cookie configuration to the API Proxy through the backend-config policy. If any configuration parameters are omitted, the corresponding fields are not set.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "sessionCookie" : {
                  "name"       : "auth_cookie",
                  "path"       : "/path/to/set",
                  "expiresIn"  : "1h",
                  "domainName" : ".example.com",
                  "httpOnly"   : true,
                  "secure"     : true,
                  "sameSite"   : "STRICT"
               }
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`name`	string	Example: `auth_cookie`	Sets the name of the cookie to be set or inspected.	Yes	N/A
`path`	string	Example: `/path/to/set`	Defines the path for which the cookie is set.	No	N/A
`expiresIn`	string	Example: `1h`	Sets cookie expiry. If the parameter is not specified, it will cause the cookie to expire at the end of a browser session. Follows NGINX configuration time measurement units syntax.	No	N/A
`domainName`	string	Example: `.example.com`	Defines the domain for which the cookie is set. Parameter value can contain variables.	No	N/A
`httpOnly`	boolean	`true/false`	Adds the `HttpOnly` attribute to the cookie.	No	N/A
`secure`	boolean	`true/false`	Adds the `Secure` attribute to the cookie.	No	N/A
`sameSite`	string	One of: [`STRICT`, `LAX`, `NONE`]	Adds the `SameSite` attribute to the cookie.	No	N/A

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Buffer Settings section.
To configure session cookies, enable the toggle for Session Affinity/Cookies Settings.
1. Set the Name of the cookie (required).
2. Set the Path (optional).
3. Set the cookie Expires in (optional). If the parameter is not specified, it will cause the cookie to expire at the end of a browser session.
4. Set the Domain Name (optional).
5. Enable the HTTP Only toggle to add the HttpOnly attribute to the cookie (optional).
6. Enable the Secure toggle to add the Secure attribute to the cookie (optional).
7. Set the Same Site attribute value (optional).
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

NTLM Authentication

Allows proxying requests with NTLM Authentication. The upstream connection is bound to the client connection once the client sends a request with the Authorization header field value starting with Negotiate or NTLM. Further client requests will be proxied through the same upstream connection, keeping the authentication context. When enabled, the HTTP Protocol version is set to 1.1.

Configuring NTLM Authentication

Follow the steps in this section to configure session cookies for your backend service targets.

Send a POST request to enable NTLM authentication for the API Proxy through the backend-config policy.

Method	Endpoint
`POST`	`/services/workspaces/<SERVICE_WORKSPACE_NAME>/proxies`

{
   "policies" : {
      "backend-config" : [
         {
            "action" : {
               "enableNTLMAuthn": false
            }
         }
      ]
   }
}

Field	Type	Possible Values	Description	Required	Default value
`enableNTLMAuthn`	boolean	`true/false`	Enables proxying requests with NTLM Authentication.	No	`false`

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the Policies tab, select Add Policy from the Actions menu for HTTP Backend Config.
Go to the Connection Settings section.
To enable NTLM, enable the toggle for Enable NTLM Authn.
Select Add to apply the backend configuration policy to the Proxy. Then select Save & Publish to deploy the configuration to the API Proxy.

Reference Backend Configuration Policy API Request Body

{
   "policies": {
      "backend-config": [
         {
            "action": {
               "targetBackendPolicyLabel" : "default",
               "keepCacheConnectionAlive": 32,
               "keepAliveRequests": 1000,
               "keepAliveTime": "1h",
               "keepAliveTimeout": "60s",
               "connectTimeout": "30s",
               "readTimeout": "30s",
               "sendTimeout": "30s",
               "clientMaxBodySize": "2m",
               "enableNTLMAuthn": false,
               "loadBalancing": {
                  "algorithm": "LEAST_CONN",
                  "leastTimeMeasurement": "HEADER",
                  "hashKey": "$request_uri",
                  "consistentHashing": true,
                  "randomTwo": true,
                  "randomMethod": "LEAST_CONN"
               },
               "queue": {
                  "maxNumberOfRequests": 10,
                  "timeOut": "60s"
               },
               "buffer": {
                  "number": 8,
                  "size": "8k"
               },
               "sessionCookie": {
                  "name": "auth_cookie",
                  "path": "/",
                  "expiresIn": "1h",
                  "domainName": ".example.com",
                  "httpOnly": true,
                  "secure": true,
                  "sameSite": "strict"
               }
            }
         }
      ]
   }
}