API Manager Policies: Which Layer Should You Choose?
Learn which API Manager policies work best for each layer of your APIs. A guide to reducing complexity while maintaining effective governance.
Posted by
Ngoc Quang Nguyen
The Challenge of Policy Layering
Architects usually need to make a decision: Which API Manager policies should apply to which layers of APIs?
Often policies can be applied across layers, but we don't want to increase the complexity of overhead.
Often there are a lot of nuances, understanding which policy for which situation is key.
Below is a quick recap of the policies in API Manager that best suit each layer.
System API Layer Policies
At the System API layer, focus on foundational policies that ensure security and reliability:
- Authentication and Authorization
- Rate Limiting and Throttling
- Security policies (IP whitelisting, CORS)
- Basic logging and monitoring
Process API Layer Policies
Process APIs benefit from transformation and orchestration-focused policies:
- Message transformation and validation
- Caching policies for performance
- Circuit breaker patterns
- Advanced monitoring and analytics
Experience API Layer Policies
Experience APIs should focus on user experience and interface policies:
- Client-specific rate limiting
- Response formatting and filtering
- API versioning strategies
- Developer portal integration