API management policies are an essential tool for managing your APIs efficiently. You can use them to enforce security, apply rate limiting, convert formats and more. And one of the benefits of Tyk is that all this is easy to do.
If you’re ready to get to grips with all aspects of API management (APIM) policies, read on.
What are APIM policies?
API policy management is all about enforcing behaviours. An APIM policy is a set of statements designed to run in a particular order during the API request and response process.
You can use API gateway policies to turn your gateway into an enforcement point for these. This allows you to apply policies across multiple regions while enjoying fine-grained control over single sign-on and role-based access control.
You can use an API management policy within the Tyk Dashboard. You can also extend the Tyk Dashboard permission system through Open Policy Agent, which allows you to write custom rules. This provides fine-grained control over your APIs at API, user, and key levels.
Benefits of API management policy
Before we dive into the different API policy options you have open to you, it’s worth noting the benefits a well-thought-out API management policy can bring to your business.
Enhanced security and efficiency are chief among these benefits. Applying security at the API gateway policy level means you can enforce changes to API keys (or OAuth client IDs) en masse by modifying a single policy – rather than individual keys.
API policy management can deliver operational and performance benefits, too. You can manage traffic through policies to ensure your services aren’t overwhelmed. Plus, it’s an easy way to manage tiered access to your services, where clients pay for different volumes of API calls (for example).
Types of API management policies
Let’s put all this into context with some APIM policy examples.
We will look at a key-level approach to API policy management here, but remember that you can also apply an API policy at the user and API level if that suits your needs better.
Let’s say you want to apply several security options to an API key. By using a Tyk security policy, you can easily do so through the Tyk Dashboard. The policy serves as a template that you can use to override individual sections of an API key (or identity), setting areas such as:
- Access lists (for both APIs and versions)
- Access lists providing granular control over method and path
- Rate limits
You can also add tags and metadata using a security policy.
It’s possible to break down an API management policy so that only some elements apply to an API key. With Tyk, you can do this through partitioning. Let’s say you want to manage access control across all users but then set rate limits and quotas at the user level – partitioning a policy makes quick work of this.
Rate limiting policy
Applying an API policy to manage rate limiting means you can protect your API. You can apply a rate limit (and quota) to each user’s access to ensure that you control traffic peaks (and volumes) in a way that ensures the positive performance of your API in the face of fluctuating demand. This is done by limiting the number of requests your API will accept within a specified period.
In addition to using a rate-limiting policy, you can also use an API gateway policy to throttle traffic. This further supports the performance of your API by dealing with spikes in traffic efficiently and fairly. With a throttling policy, you can queue requests, specify the number of retries and set the delay between retries.
Other types of API management policy
We mentioned above that you can use Open Policy Agent (OPA) to write custom rules that extend the permissions system of the Tyk Dashboard. The OPA rules sit on top of your dashboard API when you do so. This means you can control the behaviour of all dashboard APIs (except your public developer portal) and access rules.
This extended API policy management functionality allows you to implement additional rules. You could, for example, set an APIM policy to deal with all APIs for which the target URL does not point at the internal domain by enforcing an HTTP proxy option.
Another example is the ability to control access to individual fields. This means you can disallow things like changing an API’s ‘active’ status unless specific permission is set that allows this or read and write permissions for your APIs.
API management policy components
There are various components that relate to API management policy. While we’re not taking a deep technical dive into these right now (you can hop across to the policies guide in the Tyk Docs), it’s worth understanding some of the terminology you may encounter when using Tyk policies and OPA. Specifically:
- Deny rules – these are the main building blocks for controlling access. They can return detailed and dynamic errors in the case of rejection.
- Patch requests – you can use these to modify requests and responses with a JSON merge patch format.
- Rego – this is a high-level declarative language used in OPA. It allows you to specify policy as code and use simple APIs to offload decision-making related to policies from your software. Using it means that your policies are easy to read and write.
Creating and applying policies
We’ve looked at why you might want to apply API policies and some of the policies you can use. Now, let’s turn to how to create and apply an API management policy.
With Tyk Cloud and Tyk Self-managed, you can enjoy easy policy creation in the Dashboard. Our video walkthrough shows just how easy this is. You can choose your API, and set limits, quotas and path-based permissions, all in a few clicks. You can also set a key expiry period (if you wish) and pop in tags and metadata. Name your policy, and you’re done!
After that, you can set keys against the policy, again with just a few clicks. Then, if you need to change your policy, you can do so within the Tyk Dashboard, and the change will apply to all keys set against that policy.
If you’re using Tyk’s open source API gateway through Tyk Open Source (rather than the Tyk Cloud or Tyk Self-Managed options), then the APIM policy creation process is slightly different. In that case, you can create or edit the /policies/policies.json file. In that, you simply add the policy object to the object array and then define your policy with an ID, name, access rights, rate limits, security profile and so on.
Monitoring and troubleshooting API policies
As with any aspect of API management, it’s important to monitor and troubleshoot your API policies to ensure that everything is working as it should be. This applies regardless of the particular API management architectural and deployment patterns that you use, as monitoring is a fundamental part of ensuring the healthy functioning, performance and availability of your APIs.
Monitoring your API gateway policies can be both proactive and reactive and is tied in with your overall approach to API monitoring and troubleshooting. Your traffic management monitoring, for example, can provide a clear indication of whether the policies you’re using to shape your traffic are working as they should be. Likewise, the real-time identification of any anomalies that could indicate a security breach can serve as a driver to troubleshoot any issues with your security policy or at least to review it to consider whether any fine-tuning is necessary.
Troubleshooting will, of course, depend on the nature of the issue(s) that you are facing with your particular API management policy. That said, you can easily change policies within Tyk Dashboard and with Open Policy Agent, so any tweaks you need to make are only ever a few clicks away.
Best practices for managing APIs with policies
Managing your APIs with policies can better enable you to ensure that your APIs are secure, functioning as intended and performing reliably. However, that doesn’t mean you should leap straight in and start creating policies without having a plan in place for what you intend to achieve by implementing those policies.
That plan is the first step in taking a best-practice approach to managing APIs with policies. By mapping out what you intend to achieve and how your API management contributes to that, you can ensure your policies support fair usage of your APIs, enforce the precise level of access control you require and so on.
Truly harnessing the power of API management policies will turn your attention to best practice recommendations at the policy level. We can use an API security policy as an example of this. If you’re using a security policy to ensure proper authentication and authorisation mechanisms are in place, then best practice dictates you will need to embrace OAuth2.0 and role-based access control to ensure your processes are robust.
In the case of rate limiting, it’s time to focus on how you set those limits. Do you divide your users into different tiers with different limits, as many software as a service (SaaS) businesses do these days? If so, you’ll need to align your rate limits with the levels you’ve set for your different user plan tiers to ensure that everyone can use your API in line with the service they’re paying for.
You’ll also need to think about policies from an overall operational level. How well protected are your services from threats such as distributed denial of service (DDoS) attacks, for example? You can factor considerations such as this into your API policy management approach to protect your APIs and broader business operations, as well as more granular usage aspects.
These examples show the importance of taking a step back and thinking about your policies before implementing them. API management policies have the power to affect every single one of your users, so that means you need to get them right! This means thinking about which behaviours the policy will enforce and the level (API, user or key) at which it will enforce them.
Get started with Tyk to manage your API policies efficiently
If you’re looking for a slick, efficient API policy management solution, Tyk can certainly help. You can chat with our team about managing policies through the Tyk Dashboard or with OPA or trial Tyk for free (no credit card required) to see how easy it can be to manage all aspects of the API experience.