All Products
Search
Document Center

API Gateway:Routing policies

Last Updated:Jun 23, 2026

Cloud-native API Gateway provides route-level WAF protection and routing policies, including throttling, rewrite, header setting, CORS, traffic replication, timeout, and retry, to help protect and optimize your services.

Routing policies

Policy

Description

Enable WAF for a route

Cloud-native API Gateway integrates with Alibaba Cloud WAF 3.0. Unlike traditional WAF, this integration allows requests to reach the gateway directly without passing through WAF, which significantly improves overall system performance without compromising security.

Configure a throttling policy

Route-level throttling policies prevent backend services from being overwhelmed by excessive requests and help avoid cascading failures. When the number of concurrent requests is high, throttling blocks excess requests to maintain backend availability. Fine-grained policies ensure that the request count on a route does not exceed a specified threshold within a given period.

Configure an HTTP rewrite policy

A rewrite policy modifies request paths and hostnames before requests are forwarded to backend services, ensuring that requests reach the intended service or endpoint.

Configure a header modification policy

A header setting policy modifies headers in requests or responses before requests are forwarded to backend services or before responses are returned to clients.

Configure a CORS policy

CORS enables cross-origin access control for secure data transfer. You can configure route-level CORS policies to allow access to resources from specific domains by using specific request methods.

Configure a traffic replication policy

A traffic replication policy copies traffic from online applications to a designated application for simulation testing and fault diagnosis, helping you evaluate application performance and troubleshoot issues efficiently.

Configure a timeout policy

A route-level timeout policy specifies the maximum time a gateway instance waits for a response from the backend service. If no response is received within this period, the gateway returns the 504 (Gateway Timeout) HTTP status code to the client.

Configure a retry policy

Route-level retry policies enable automatic retries for failed requests. You can specify retry conditions such as failed connections, unavailable backend services, or responses with a specified HTTP status code.