Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support validation of SOAP messages

    When protecting back end SOAP services it's desirable to filter out invocations where the incoming message is not valid according to the WSDL describing the service. Customers would benefit from a mechanism to trigger validation against the schema such as extending the validate-content policy.

    This is important for migration scenarios where customers are migrating from gateway products that currently perform schema validation.

    38 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support XSD Schema Validation

    It would be good to have a built-in policy that allows either the request body or explicitly specified content (such as a variable or property) to be validated against a specified XSD schema.

    24 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Define custom C# method and class in APIM Policy

    It is very usefull to write C# syntax in APIM Policy. But from the viewpoint of reusability for code snippet, I'd like to define custom C# method and class in APIM Policy.

    API Management policy expressions
    https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#syntax

    Currently, we have to wrote the same C# code on each section(inbound, outbound, backend, on-error) in APIM Policy.
    If we can define custom C# method and class and call these on any policy section, we can simplify the APIM policy content and it become easy to develop it.

    18 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support Brotli compression in policy expressions

    API Management policies cannot access a Brotli-compressed HTTP response body, e.g. to read it as JSON. In case the backend server responds with a br-compressed message the policy which attempts to read the body throws an exception saying the response body is unreadable.
    When using the "test" tab in Azure Portal the trace shows a message like:
    compression (0.087 ms)
    'Compression 'br' not supported'
    However, the test tab itself by default sends requests with the following header:
    {
    'name': 'Accept-Encoding',
    'value': 'gzip,deflate,br'
    }

    Please add brotli (de)compression to API Management policies.

    59 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow ip-filter to leverage ServiceTags

    Currently the ip-filter policy requires explicitly set IP addresses or ranges. It would be useful to allow the ip-filter to accept Azure Service Tags as the value so large IP ranges don't have to be entered manually (and kept up-to-date on weekly basis).

    A specific use-case is restricting API Management to only accept traffic from Front Door. Of course, this can be done with VNET integration of a premium tier APIM and an NSG, but VNET integration is not always the best deployment model (and not everyone needs premium tier).

    This post shows can App Services makes use of Service…

    15 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Support producing elements with namespace by json-to-xml policy.

    Now, json-to-xml policy doesn't support producing elements with namespaces. The formats that can be converted are very limited now.
    It's better if this policy support producing elements with namespace.

    9 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. Use wildcard domain as origin for cors policies

    Allow all subdomains to origin on cors policy

    eg: <origin>*.domain.com</origin>

    69 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support something like "Java Callouts" in Apigee

    Provide the ability to write custom policy expressions. Looking for something like https://docs.apigee.com/api-platform/samples/cookbook/how-create-java-callout in Azure API Management. Right now we would have to do this through an Azure function, but it would be helpful if this was provided as a feature.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. validate-client-certificate policy should not be limited to only 10 identities

    When using the validate-client-certificate policy in APIM, I get an error when adding more than 10 identity elements to the identities.
    The documentation doesn't mention such limitations:
    https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#validate-client-certificate

    Is there another way to do this?

    My Policy looks like this

    <policies>
    <inbound>
    <base />
    <validate-client-certificate validate-revocation="true" validate-trust="true" validate-not-before="true" validate-not-after="true" ignore-error="false">
    <identities>
    <identity common-name="common_name1" />
    <identity common-name="common_name2" />
    <identity common-name="common_name3" />
    <identity common-name="common_name4" />
    <identity common-name="common_name5" />
    <identity common-name="common_name6" />
    <identity common-name="common_name7" />
    <identity common-name="common_name8" />
    <identity common-name="common_name9" />
    <identity common-name="common_name10" />
    <identity common-name="common_name11" />
    </identities>
    </validate-client-certificate>
    </inbound>
    <backend>
    <base />
    </backend>
    <outbound>
    <base />
    </outbound>
    <on-error>
    <base />
    </on-error>
    </policies>

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Policy to remove X-Forwarded-For header from outbound requests

    When using API Management as an outbound forward proxy, the X-Forwarded-For header exposes internal IP addresses via this unalterable header. Currently, APIM will always append it's own internal IP address when sending a request to the backend. "set-header" on the inbound policy does not delete the XFF header for the outgoing backend request from APIM.

    8 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Be able to ignore backend "host/port" when caching responses.

    It seems that a cache hit will miss if the response previouly stored in the cache was serverd by another backend (host/port combination).

    In fact backend "host/port" seems to be part of the key of the cache.

    Using multiple host and/or ports for the same backend destination is often helpfull (for example when targeting different backends, or if you meet SNAT port exhaustion when all request goes to the same backend ... etc) .

    Currently, the efficiency of the cache is divided by the number backends ("host/port" combinaison) you use.

    An option to cache whatever the backend used (or a…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support for multiple CORS policies

    I want to specify CORS policies on global and on Product Level. Globally to allow the API developer portal and on API product level to allow only specific frontends.
    In the end, both, the developer portal and the browser apps shall be able to call the API. Therefore both CORS policies must be applied.

    Currently only 1 CORS policy is applied, the other one is ignored, dependant on where I set the base-Tag on the Product Policy level.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. validate-content truncates milliseconds from the body or variable.

    Hi,

    When a body is currently received with a string which represents a datetime everything is working fine but whenever there are milliseconds involved that end with a 0 they are being truncated.

    I've done some digging and it's happening when the body is being parsed as an application/json content-type to validate the content using the policy.

    2021-05-26T12:54:40.180Z changes into 2021-05-26T12:54:40.18Z
    2021-05-26T12:54:40.100Z changes into 2021-05-26T12:54:40.1Z
    and vice versa.

    We have a strict dateformat defined for the whole project and also have validation regexes to make sure all dates are inline.

    I tried a lot of policies, parsing myself but the…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support code only policies

    Allow us to develop policies using code alone, maybe using a language like C#

    The objective would be to use only C# (or Asp.NET (Core)) to write policies with code from scratch anywhere and maybe opening it a bit more to allow more .Net framework types than just these:
    https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#CLRTypes

    18 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. <cache-lookup-value/> on a miss does not set variable.

    According to documentation if <cache-lookup-value/> results in a cache miss and default-value is omitted it should add variable with null value.

    Currently policy is not adding variable with null value.

    Change functionality or documentation.

    Documentation issue: https://github.com/MicrosoftDocs/azure-docs/issues/75289

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Generate APIM Policy code dynamically to improve re-usability

    Currently, APIM Policy expressions can be used in named values which helps in repetitive computations for various policies. It would be great if policy code can also be generated dynamically, store in a variable and invoke that variable wherever required. (same like dynamic sql queries where we generate queries dynamically and invoke it as required ).

    Ex: We have to use below code snippet multiple times in the policy.

    <choose>
    <when condition="@((bool)context.Variables["IsRequestEnabled"] == true)">
    <set-variable name="message" value="Invalid request with 401-Unauthorized status" />
    <set-variable name="status" value="401" />
    <set-variable name="tag" value="APIM.Policy.Exception" />
    <set-variable name="level" value="2" />
    <!-- Log invalid request details -->…

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  17. Increase Consumption tier, policy document size (currently is limited to 16 KiB)

    We are nearing go live and we hit the base policy document limit. It is very limiting for the consumption tier.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  18. Expose the code base of inbuilt methods in Azure APIM Policy expression

    I was using the policies on Azure APIM, and was trying to use the Decrypt method which listed as a method to be used(I was using the AES).

    Yet, it was not working as planned, and there is no documentation or sample on how to use the method(except than the method definition online).

    I had to create a Microsoft ticket to be able to debug and know how to use this method properly for decryption.

    A support engineer mentioned that the code base for the methods allowed in APIM are on a Git repod, but those are unfortunately private to…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow authentication-basic in the send-request policy

    We often have the case the we need to secure our external calls with basic auth.

    We do something like this:

    <send-request ignore-error="false" timeout="20" response-variable-name="passwordResponse" mode="new">
    <set-url>XXXXXXXXXX</set-url>
    <set-method>POST</set-method>
    <set-header name="Authorization" exists-action="override">
    <value>Basic XXXXX=</value>
    </set-header>
    </send-request>

    What we would need ist something like this:

    <send-request ignore-error="false" timeout="20" response-variable-name="passwordResponse" mode="new">
    <set-url>XXXXXXXXXX</set-url>
    <set-method>POST</set-method>
    <authentication-basic username="username" password="password" />
    </send-request>

    Ofcourse we would extract the password out of our key vault.

    regards
    Stefan

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow deletion of HTTP headers using name pattern-syntax in set-header policy

    As of today, headers in a HTTP Request or Response can only deleted individually by specifying their exact name in a set-header policy element. While this might work well in simple cases, it will become cumbersome and hard to maintain when multiple headers should be removed based on a certain naming pattern or a certain base name.

    Example 1

    Due to security reasons and in order to avoid information leakage, a given API should not return any proprietary headers starting with X-. This cannot be expressed in a sane way as of today. There needs to be one set-header

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base