Lab 2: Apply Policies

Overview

API Manager is an API policy management and governance tool that is integrated with the Mule runtime. In this lab, you will utilize the secure connection between the Omni Channel API on runtime manager and API manager to configure policies that will allow us to manage security, quality of service, and compliance policies for your APIs.

In last lab we deployed an Anypoint Gateway to Mythical Corp’s Omni Channel API on CloudHub, now you can:

Manage security and enforce policies
Manage contracts associated with that API

This makes it easy for the API manager to understand how the API is performing, how it’s being used and by whom, and for the API Administrator to identify potential issues before they arise.

In this lab you will apply policies to your proxy gateway for Mythical Corp’s Omni Channel API. API Manager provides many out-of-the-box (OOTB) policies related to compliance, quality of service and security. In addition, you can add your own policies.

Step 1: Apply Rate Limiting Policy

To test policy management, you will add a Rate Limiting Policy to the API.

Go to the Omni Channel API Administration page.
Click the Policies tab under the API definitions.
Click the Add Policy button.
Selec the Rate Limiting Policy, and then click Next.
Enter a maximum requests of 3 per 1 Minute as shown and click Apply.

You can apply the policies to all or to specific methods and resources

Make sure you set the Time Period to Minutes to see the rate limit take effect.
You should see the Rate limiting policy now under API-level policies.
Wait for a minute (the API Gateway receives policy updates every 60 seconds by default). You can also verify that your API has received the new policy by looking at the logs. Look under the logs tab in Runtime Manager for your application. Look for a log messages similar to the following com.mulesoft.module.policies.:
Test the API using Postman or any other API testing tool and access your Proxy URL adding /products/search at the end (e.g. http://<username>-proxy-omni-channel.us-e2.cloudhub.io/products/search).
Test it again by pressing Send button 3 times.
On the 3rd invocation you will get an error message indicating Quota has been exceeded. This demonstrates your Rate Limiting policy has been applied.
Remove the Rate Limiting Policy by clicking the Remove button.

Did you REMOVE the Rate Limiting policy?

Step 2: Create SLA Tiers

In the API manager, access can be based on SLA Tiers set by the API owner. However, this is optional. As we demonstrated in the previous step, it is possible to provide access without any SLA tiers. An API owner can establish pre-defined SLA tiers that consumers can view and choose from when they request access to the API. If no SLA tiers are defined for an API, the application owner can request access without an SLA tier.

Let’s define a new SLA tier for your API version.

Click Add SLA tier.

You are going to setup 3 SLA tiers:

Tier Approval Throughput Period

Trial

Automatic

1

Minute

Gold

Manual

10

Second

Platinum

Manual

100

Second

Tier	Approval	Throughput	Period
Trial	Automatic	1	Minute
Gold	Manual	10	Second
Platinum	Manual	100	Second

Fill in the fields to configure your tier
- Give the tier a Name
- Indicate whether application access Approval at this tier level should be automatically approved or require manual approval.
- Define the Limits by indicating the number of requests allowed per time period.
- Click Add to save your tier.
- Repeat for all the tiers shows above.
Your SLA tier is displayed with all of the information that you just defined. In addition, you have a column to indicate how many applications are registered on that tier. You can also edit or delete the tier using the links in the row.

Be sure you select the correct policy version according to the Mule version you are using

Step 3: Add a Rate Limiting SLA-based Policy

To enforce SLA tiers, you need to apply a rate-limiting or throttling policy that is SLA-based. These policies require all applications that consume your API to register for a specific tier. Their client credentials will be required for each API call so that Anypoint Platform can properly enforce the contracted tier.

Let’s apply a rate-limiting policy to your endpoint.

Click the Policies link in the left menu and Add Policy button to view the list of available policies for your organization.
Select the Rate limiting - SLA based policy, select the latest version under Advanced Options and click Apply.
Note that the Client ID Expression value is filled with the following expression #[attributes.headers['client_id']]. Leave it like this.

Note that the Client Secret Expression value is filled with the following expression #[attributes.headers['client_secret']]. Leave it like this.

Please note the following for other use cases: Depending on the policy that you select, you may need to provide further configuration.
If the policy that you wish to apply is greyed out, it is not eligible to be applied to your endpoint. Either:
- You already have another policy applied which fulfills the same requirement (see the Fulfills filter)
- The policy that you want to apply requires that another policy be applied first (see the Requires column)

To remove policies, you can click Remove. The policies are immediately removed from your endpoint. Note that if you wish to reapply the policy, you need to configure it again. Your previous configuration is not saved.
Users can also edit applied policies.

Step 4: Request Access for the API

Remember that the APIs are designed to be discoverable and self served. That’s why we need to go to the Exchange Portal to request access.

Go to the Exchange and select the Omni Channel Experience API
Press the Request Access button that is on the right top.

You can see in the Versions panel that there is another instance added. That is the application we deployed.
A popup window will appear.
In the API Instances, select your API.
In Application, choose Create a new Application.
Complete the new application dialog as shown below (you must create a unique application name such as mtm iPhone Application). When finished, click Create.

Since we have tiers associated with our API we also need to select a tier.
Choose the API Instance you deployed
Choose the Trial tier.
Click on the Request Access button.
By default, all API requests will be approved for the Trial SLA tier. You’ll see your Client ID and Client secret.

RECORD these values as you will use them in the next step to invoke the API
In Exchange you can click on My Applications to access to all your registered applications.
Click on My Applications. You will find the API you’ve just created
Go to your email

You should see the below registration email indicating you have been auto-approved.

If you set your tiers for manual approval, email notifications are sent to you when developers request access for their applications. You can review the applications on the Applications tab and approve, reject, or revoke requests. If a developer asks to change tiers, you can also review the change request and approve the application for the new tier or reject the change request.

Step 5: Test the API

You will now test the Omni Channel Experience API.

Test the API again using Postman or any other api testing tool and access your CloudHub URL with /products/search. For example:
http://<username>-proxy-omni-channel.us-e2.cloudhub.io/products/search.
You should see the response:
```
Invalid client id or secret
```
This is because the Rate Limiting - SLA policy id applied

Step 6: Test the API with Credentials

Add client_id and client_secret to the request header.

You should now be able to access the product information because you entered your application credentials.
Execute the test again and you’ll see you have exceeded the Rate Limit for the Trial tier.

Summary

In this lab, we completed the following steps:

Apply Rate limiting policy
Create SLA tiers
Add a Rate limiting SLA-based policy
Request access for the API
Test the API without credentials
Test the API with credentials

We saw the capabilities around managing APIs and applying policies to enforce security and governance around your API giving you better control. We easily applied rate limiting policies and added SLA tiers giving you the ability to scale with easier management and operations. We created a basic API portal for providing easy access to your APIs and we tested how to use consumer credentials to access your APIs that were provisioned based on SLAs.

Go Further:

Learn more about Applying Runtime Policies
Learn more about security policy configurations:
In addition to the OOTB policies, you saw in this lab, you can also Create Custom Policies
Learn more about Managing API Versions
Learn more about SLA Tiers

Congratulations! You have completed Lab 2.

Please proceed to Lab 3

Take me to the TOP

Gartner Magic Quadrant Leader

Digital platforms in the API economy

Anypoint Platform Fundamentals

2022 Connectivity Benchmark Report

Let's unleash innovation, together