Cloud-native API Gateway supports API-level and operation-level policies and plug-ins to improve security, performance, and maintainability.
-
Policy configuration changes take effect immediately without republishing the API.
-
By default, API-level plug-in configurations apply to the operation level.
-
You cannot delete API-level policies at the operation level. However, operation-level policies can override API-level policies.
Procedure
-
Add API policies in either of the following two ways:
APIs outside an instance
-
Log on to the Cloud-native API Gateway console. In the left-side navigation pane, select APIs and select a region in the top menu bar.
-
Click the target API and select the destination instance from the drop-down list.

APIs within an instance
-
Log on to the Cloud-native API Gateway console. In the left-side navigation pane, select Instances and select a region in the top menu bar.
-
On the Instances page, click the ID of the target gateway instance. In the left-side navigation pane, select APIs, and click the target API.
-
-
You can configure policies and plug-ins at the API or operation level:
-
API level: Click the API Policy Configuration tab to configure API-level policies and plug-ins for all operations. Then, click Enable Policy/Plug-in.
-
Operation level: On the Operations tab, click the target operation, click the Policy Configuration tab, and then click Enable Policy/Plug-in.
-
-
In the Enable Policy/Plug-in panel, select and configure a policy or plug-in from the Policies or Plug-ins section.
Policies
Throttling policy
Throttling controls request volume per API and operation within a configured threshold over a specified period. It prevents external requests from overwhelming backend services and avoids cascading failures by rejecting excess requests under high concurrency.
Throttling policies include concurrency control, traffic shaping, and circuit breaking.
-
Concurrency control policy: Limits the total number of concurrent requests processed by the gateway. When the threshold is reached, new requests are rejected. Set the threshold to match your backend capacity.
-
Traffic shaping policy: Monitors queries per second (QPS) for APIs and operations. When QPS exceeds the threshold, new requests are rejected to protect backend services from traffic spikes.
-
Circuit breaking policy: Monitors the response time or error rate of APIs and operations. When a threshold is reached, the circuit breaker trips and fails subsequent requests for a set period to prevent cascading failures. After the timeout, the gateway allows a limited number of test requests to check whether the backend has recovered.
Rewrite policy
Rewrite policies modify request paths and host headers before forwarding to backend services, ensuring requests reach the correct endpoints.
Header modification policy
Header modification lets you modify request headers before forwarding to the backend, or response headers before returning to the client.
CORS policy
Cross-Origin Resource Sharing (CORS) controls access to resources from different origins (domain, scheme, or port). Configure CORS policies at the API and operation levels to specify allowed origins and request methods.
The CORS policy does not apply to mock services. You must configure an actual backend service for testing.
Traffic replication policy
Traffic replication mirrors a percentage of live traffic to a specified service for simulation testing and fault diagnosis.
Timeout policy
Configure the maximum time the gateway waits for a backend response. If no response is received within this time, the gateway returns an HTTP 504 (Gateway Timeout) error.
Retry policy
Configure automatic retries for failed requests. Retry conditions include connection failure, backend unavailability, and specific HTTP status codes.
Plug-ins
-
Click the Add Plug-in tab.
-
In the Quick Navigation section, find the target plug-in by type or name, and click its card.
-
If the plug-in is not yet installed, click Install and Configure in the dialog box. Configure the rules and enable it.
-
If the plug-in is already installed, configure its rules and enable it in the dialog box.
-
-
Click OK. You return to the API plug-in list, where you can view the status of the new plug-in.
