| title | description | author | ms.service | ms.custom | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Tutorial - Transform and protect your API in Azure API Management | Microsoft Docs |
In this tutorial, you learn how to protect your API in API Management with transformation and throttling (rate-limiting) policies. |
dlepow |
api-management |
mvc, devdivchpfy22 |
tutorial |
03/15/2022 |
danlep |
In this tutorial, you'll learn about configuring common policies to transform your API. You might want to transform your API so it doesn't reveal private backend info. Transforming an API can help you hide the technology stack info that's running in the backend, or hide the original URLs that appear in the body of the API's HTTP response.
This tutorial also explains how to add protection to your backend API by configuring a rate limit policy, so that the API isn't overused by developers. For more policy options, see API Management policies.
Note
By default, API Management configures a global forward-request policy. The forward-request policy is needed for the gateway to complete a request to a backend service.
In this tutorial, you learn how to:
[!div class="checklist"]
- Transform an API to strip response headers
- Replace original URLs in the body of the API response with API Management gateway URLs
- Protect an API by adding a rate limit policy (throttling)
- Test the transformations
:::image type="content" source="media/transform-api/api-management-console-new.png" alt-text="Policies in portal":::
- Learn the Azure API Management terminology.
- Understand the concept of policies in Azure API Management.
- Complete the following quickstart: Create an Azure API Management instance.
- Also, complete the following tutorial: Import and publish your first API.
[!INCLUDE api-management-navigate-to-instance.md]
This section shows how to hide the HTTP headers that you don't want to show to your users. For example, delete the following headers in the HTTP response:
- X-Powered-By
- X-AspNet-Version
To see the original response:
- In your API Management service instance, select APIs.
- Select Demo Conference API from your API list.
- Select the Test tab, on the top of the screen.
- Select the GetSpeakers operation, and then select Send.
The original API response should look similar to the following response:
:::image type="content" source="media/transform-api/test-original-response-new.png" alt-text="Original API response":::
As you can see, the response includes the X-AspNet-Version and X-Powered-By headers.
This example shows how to use the form-based policy editor, which helps you configure many policies without having to edit the policy XML statements directly.
-
Select Demo Conference API > Design > All operations.
-
In the Outbound processing section, select + Add policy.
:::image type="content" source="media/transform-api/outbound-policy.png" alt-text="Navigate to outbound policy" border="false":::
-
In the Add outbound policy window, select Set headers.
:::image type="content" source="media/transform-api/set-http-header.png" alt-text="Set HTTP header policy":::
-
To configure the set headers policy, do the following:
- Under Name, enter X-Powered-By. Under Action, select delete.
- Select + Add header.
- Under Name, enter X-AspNet-Version. Under Action, select delete.
:::image type="content" source="media/transform-api/set-policy.png" alt-text="Set HTTP header":::
-
Select Save. Two set-header policy elements appear in the Outbound processing section.
This section shows how to replace original URLs that appear in the body of the API's HTTP response with API Management gateway URLs. You might want to hide the original backend URLs from users.
To see the original response:
-
Select Demo Conference API > Test.
-
Select the GetSpeakers operation, and then select Send.
As you can see, the response includes the original backend URLs:
:::image type="content" source="media/transform-api/original-response2.png" alt-text="Original URLs in response":::
In this example, you use the policy code editor to add the policy XML snippet directly to the policy definition.
-
Select Demo Conference API > Design > All operations.
-
In the Outbound processing section, select the code editor (</>) icon.
:::image type="content" source="media/transform-api/outbound-policy-code.png" alt-text="Navigate to outbound policy code editor":::
-
Position the cursor inside the
<outbound>element on a blank line. Then select Show snippets at the top-right corner of the screen.:::image type="content" source="media/transform-api/show-snippets-1.png" alt-text="Select show snippets":::
-
In the right window, under Transformation policies, select Mask URLs in content.
The
<redirect-content-urls />element is added at the cursor.:::image type="content" source="media/transform-api/mask-urls-new.png" alt-text="Mask URLs in content":::
-
Select Save.
This section shows how to add protection to your backend API by configuring rate limits, so that the API isn't overused by developers. In this example, the limit is set to three calls per 15 seconds for each subscription ID. After 15 seconds, a developer can retry calling an API.
-
Select Demo Conference API > Design > All operations.
-
In the Inbound processing section, select the code editor (</>) icon.
:::image type="content" source="media/transform-api/inbound-policy-code.png" alt-text="Navigate to inbound policy":::
-
Position the cursor inside the
<inbound>element on a blank line. Then, select Show snippets at the top-right corner of the screen.:::image type="content" source="media/transform-api/show-snippets-2.png" alt-text="Set inbound policy" border="false":::
-
In the right window, under Access restriction policies, select Limit call rate per key.
The
<rate-limit-by-key />element is added at the cursor.:::image type="content" source="media/transform-api/limit-call-rate-per-key.png" alt-text="Select limit call rate per key":::
-
Modify your
<rate-limit-by-key />code in the<inbound>element to the following code. Then select Save.<rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
At this point, if you look at the code in the code editor, your policies look like the following code:
<policies>
<inbound>
<rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<set-header name="X-Powered-By" exists-action="delete" />
<set-header name="X-AspNet-Version" exists-action="delete" />
<redirect-content-urls />
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
The rest of this section tests policy transformations that you set in this article.
-
Select Demo Conference API > Test.
-
Select the GetSpeakers operation and select Send.
As you can see, the headers have been stripped:
:::image type="content" source="media/transform-api/stripped-response-headers.png" alt-text="Stripped response headers":::
-
Select Demo Conference API > Test.
-
Select the GetSpeakers operation and select Send.
As you can see, the URLs are replaced.
:::image type="content" source="media/transform-api/test-replaced-url.png" alt-text="Replaced URLs":::
-
Select Demo Conference API > Test.
-
Select the GetSpeakers operation. Select Send three times in a row.
After sending the request three times, you get the 429 Too Many Requests response.
:::image type="content" source="media/transform-api/test-throttling-new.png" alt-text="Too many requests":::
-
Wait for 15 seconds or more and then select Send again. This time you should get a 200 OK response.
In this tutorial, you learned how to:
[!div class="checklist"]
- Transform an API to strip response headers
- Replace original URLs in the body of the API response with API Management gateway URLs
- Protect an API by adding rate limit policy (throttling)
- Test the transformations
Advance to the next tutorial:
[!div class="nextstepaction"] Monitor your API