Set Up Policies

Learn how to use NGINX Management Suite API Connectivity Manager to set up policies for your API Gateway and Developer Portal clusters and API Proxies.


This documentation applies to NGINX Management Suite API Connectivity Manager 1.1.0 and later.

Overview

In NGINX Management Suite API Connectivity Manager (ACM), you can apply global policies to API Gateway and Developer Portal clusters to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.


Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • API Connectivity Manager is installed, licensed, and running.
  • You have one or more Environments with API Gateway or Dev Portal clusters.

How to Access the User Interface

This guide provides instructions for completing tasks using the NGINX Management Suite API Connectivity Manager user interface (UI).

To access the UI, go to the FQDN of your NGINX Management Suite host and log in. On the Launchpad menu, select “API Connectivity Manager.”


Set Up Global Policies

Global Policies are configured at the environment level and apply to all clusters and proxies within the environment.

The following table shows the available Global Policies you can use when creating a new cluster.


Legend:

  • = Supported
  • = Not supported
  • = Applied by default
Policy Name HTTP Environment gRPC Environment Applied On Description
Error Response Format Outbound Configure the Error Response Format policy to customize the HTTP error codes and error messages.
Log format Outbound Use the Log Format global policy to generate detailed access logs in JSON (default) or syslog format. Among the settings you can select, use the filter to fine-tune what gets logged, set the log destination, and adjust the log severity level to specify the type of errors to log.
OpenID Connect Relying Party Inbound Secure access to your APIs with an OpenID Connect (OIDC) policy. This policy configures the API gateway proxy as a relying party for authenticating users with an OIDC provider.
Proxy Response Headers Inbound Customize the Proxy Response Headers policy to include or exclude headers in the proxy response. By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code. You can also add custom headers and values to include in the response.
Request Body Size Limit Inbound Prevent Denial-of-Service (DoS) and other types of attacks by limiting the request body size. Customize the policy to configure the max payload size the API gateway proxy cluster can accept; the default limit is 1 MB. The API gateway proxy blocks requests exceeding the limit, while returning the configured error code. Set the max size to 0 to disable checking the request body size.
Request Correlation ID Inbound Apply the Correlation ID policy to add a unique identifier to each request entering the application. You can use this unique ID to trace end-to-end transactions moving through components in a distributed system. The policy uses x-correlation-id as the default HTTP header name, or you can provide a custom header value.
TLS Backend Backend Secure the communication between the API gateway proxy and the backend API service by enabling and customizing the TLS backend policy. When mTLS is enabled, the API gateway proxy identifies itself to the backend service using an SSL client certificate.
TLS Inbound Inbound Secure inbound connections with the TLS inbound policy. Enable mTLS for secure bidirectional communication.

To manage Global Policies, take the steps below:

  1. In the ACM user interface, go to Infrastructure > Workspaces > Environments.
  2. Select the Environment that holds the cluster that you want to configure, then select the Cluster name.
  3. Select the Manage icon for the cluster that you want to configure.
  4. Select the Global Policies tab.
  5. Add, Edit, or Remove as desired.
  6. Save and Submit your changes.

Add a Policy

Take the steps in this section to add a new policy to a cluster.

  1. Go to Manage > Global Policies for the cluster.
  2. Select Add Policy from the policy’s Actions menu.
  3. Complete the form provided to configure the policy, then select Add.
  4. Save and Submit your changes.

Edit a Policy

To edit a policy, take the steps below.

  1. Go to Manage > Global Policies for the cluster.
  2. Select Edit Policy from the policy’s Actions menu.
  3. Edit the policy as needed.
  4. Select Save and Save and Submit.

Remove a Policy

To remove a policy, take the steps below.

  1. Go to the Global Policies tab for the cluster.
  2. Select Remove Policy from the policy’s Actions menu.

Set Up API Proxy Policies

The following table shows the available API Proxy Policies you can use when creating an API gateway cluster.


Legend:

  • = Supported
  • = Not supported
  • = Applied by default
Policy Name HTTP Proxy gRPC Proxy Applied On Description
Access Control Routing Inbound Restrict access to your application servers based on JWT claims or header values.
ACL Consumer Restriction Inbound Protect your upstream TCP application servers by denying/allowing access from certain consumers client IDs or authenticated JWT claims.
ACL IP Restriction Inbound Protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks
Allowed HTTP Methods Inbound Restrict access to specific request methods and set a custom response code for non-matching requests.
APIKey Authentication Inbound Secure the API gateway proxy by adding an API key.
Backend Config Inbound Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource usage.
Backend Health Check Backend Perform regular health checks to the backend API service to avoid and recover from server issues. Customize the policy with your desired thresholds.
Basic Authentication Inbound Restrict access to APIs by requiring a username and password.
CORS Inbound Configure cross-origin resource sharing (CORS) to control resource access from outside domains.
JSON Web Token Assertion Inbound Secure your API gateway proxy with JSON web token verification.
OAuth2 Token Introspection Inbound Secure your API gateway proxy with OAuth2 Tokens.
Proxy Cache Outbound Enable and configure caching to improve the performance of your API gateway proxy.
Proxy Request Headers Backend Configure the headers to pass to the backend API service.
Rate Limit Inbound Add rate limits to limit incoming requests and secure API workloads.

Any Global Policies will automatically be applied when you add an API Proxy. You can also configure any of the optional policies at the proxy level.

To manage Proxy Policies, take the steps below.

  1. In the ACM user interface, go to Services > Workspaces > Proxies.
  2. Select Edit Proxy from the Actions menu for the Proxy that you want to configure.
  3. Select the Policies tab.
  4. Add, Edit, or Remove as desired.
  5. Save and Publish your changes.

Add a Policy

Take the steps in this section to add a new policy to a cluster.

  1. Go to Edit Proxy > Policies.
  2. Select Add Policy from the policy’s Actions menu.
  3. Complete the form to configure the policy, then select the Add button.
  4. Save and Submit your changes.

Edit a Policy

Take the steps below to edit a policy.

  1. Go to Edit Proxy > Policies.
  2. Select Edit Policy from the policy’s Actions menu.
  3. Edit the policy as needed.
  4. Select Save, then Save and Publish.

Remove a Policy

To remove a policy, take the steps below.

  1. Go to Edit Proxy > Policies.
  2. Select Remove Policy from the policy’s Actions menu.