Policies
You can create rate-limiting and error code policies to safeguard your APIs against attacks and monitor malfunctions. Rate limiting is an effective measure to protect your APIs.
Policies features
Under the Policies section of the Monitor and Analytics functionality, the platform-admin, api-product-manager and api-developer of the organization can:
- Create policies related to Request Limit, Request Limit (IP Blocking) and Error Code
- Attach policies to APIs on the API level or Organization level
- Search for the policies created
- Filter policies based on their type
- Check how many APIs inherit a particular policy
- Edit a policy, detach and delete it
In order to utilize the Policies, follow the below sections.
Create Policy¶
To create a policy:
- First, access Monitor & Analytics → Monitors and Policies
- Switch to Policies
- Click Create Policy
- In the popup shown, select the policy type.
There are three types of policies, to create them, follow the instructions mentioned in the below sections:
Info
Fields with asterisk (*) are mandatory.
Request Limit¶
The request Limit (rate limit) policy allows the provider to limit the maximum number of API calls within a period.
For example, you want a consumer to call the API 10 times per minute. Therefore, you would apply a rate limit to their API expressed as "10 requests per 60 seconds," as it's calculated in requests per second.
While creating the policy, once you've selected Request Limit, fill in the following details in the popup shown:
- Policy Name: Specify the name of the policy.
- Request Threshold: Set the maximum number of requests allowed within a specific time period.
- Period: Select the time period (hour, day, or month) for the request threshold limit.
- Recovery Time: If a rate limit is triggered, specify the duration in seconds for the IP to recover.
- Notify: Enter an email address to receive a notification if the policy is triggered.
Request Limit (IP Blocking)¶
This policy allows administrators to block traffic from specific IP addresses. This can be useful for mitigating attacks, such as Distributed Denial of Service (DDoS) attacks, or for blocking malicious activity.
When you select this type of policy, the additional field you get is to choose whether to block the IP address permanently or not.
- By default the Permanent blocking is set to No
- If you need to block permanently, select Yes
Error Code Notification¶
There are different times when an API can return errors for a request; for example, some common API errors are 400 Bad Request Error, 401 Unauthorized Error, or 500 Internal Server Error, which could be due to issues in the endpoint, incorrect parameters, etc.
In this case, the administrator or product manager might want to send automated error notification emails. To do so, you need to create the Error Code Notification policy. For that:
- First, enter the Policy name
- Define the Error code series such as 400, 401, 408, 500, and 502
- Set the Occurrence threshold
- Then select the Period : Hourly | Day | Month
- After that, enter the emails in the Notify field
- Click, Create Policy
Attach Policy¶
You can attach the policies you create at the API and Organizational level. This helps you apply the policy at a large scale as well as keep track of the no of APIs using the Policy.
Detach Policy¶
You can easily detach policies applied to APIs.
Edit & Delete Policy¶
You can edit and delete the policy.