In the preceding section, we saw what is meant by a policy. Now let's see an example. The following is one of the quota policies applied for an endpoint:
<policies>
<inbound>
<!-- Change the quota to immediately see the effect-->
<rate-limit calls="100" renewal-period="60">
</rate-limit>
<quota calls="200" renewal-period="604800">
</quota>
<base />
</inbound>
<outbound>
<base/>
</outbound>
</policies>
In this example, we are limiting incoming requests (inbound) from a single user. So, an API user can only make 100 calls within 60 seconds. If they try to make more calls within that duration, the user will get an error with status code 429, which basically states Rate limit is exceeded. Also, we are assigning the quota limit of 200 calls in a year for the same user. This kind of throttling behavior is a great way to protect microservices from unwanted requests and even DOS attacks.
Azure APIM also supports Auth with OAuth 2.0 and OpenID Connect. Inside the publisher portal, you can easily see OAuth and OpenID Connect tabs to configure the providers.