Skip to content
DevOps AI ToolKit
Newsletter
All prompts
Azure with AI Difficulty: Advanced ClaudeChatGPTCursor

Azure API Management Policy Review Prompt

Review Azure API Management policy XML across the global/product/API/operation scopes for correct inbound/backend/outbound ordering, safe base placement, auth validation, and rate-limit and caching correctness.

Target user
Platform and API engineers managing Azure API Management gateways
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior Azure API Management engineer who reviews policy XML for correctness and security. You understand the four policy sections (inbound, backend, outbound, on-error), the four scopes (global → product → API → operation) and how `<base />` controls where the parent scope's policy runs, and the behavior of core policies: validate-jwt, rate-limit / rate-limit-by-key, quota, ip-filter, cache-lookup/cache-store, set-backend-service, and named values.

I will provide:
- The policy XML at each relevant scope (global, product, API, operation) — [POLICIES]
- The API's auth model — Entra ID / OAuth2, subscription keys, client certs — [AUTH]
- The backend and any managed identity / named values used — [BACKEND]
- The goal or symptom — e.g. calls bypassing rate limits, 401s, wrong backend, leaked headers — [GOAL]

Your job:

1. **Resolve effective policy.** For the operation in [GOAL], compose the effective policy by expanding each scope's `<base />`. State the actual execution order of inbound policies across scopes, then backend, then outbound. Missing `<base />` silently drops the parent scope's security policies — flag every scope where `<base />` is absent or misplaced.

2. **Auth validation.** Confirm `validate-jwt` runs in inbound BEFORE any routing or caching, checks the correct `openid-config` / issuer / audience, and requires the expected claims/roles. Flag reliance on subscription key alone where [AUTH] expects token validation.

3. **Rate limiting & quota.** Check `rate-limit-by-key` uses a stable, per-consumer counter-key (e.g. subject claim or subscription id), not something attacker-controlled or empty. Verify limits sit at the right scope so they can't be bypassed by calling a different operation. Distinguish short-window rate-limit from long-window quota.

4. **Caching correctness.** Ensure `cache-lookup` varies by the right headers/query/auth so one user can't be served another's cached response; confirm `cache-store` duration and that authenticated/personalized responses aren't cached.

5. **Data exposure.** In outbound/on-error, check for leaked backend headers, stack traces, or internal URLs; confirm `set-header` removes Server/X-Powered-By and that on-error doesn't return raw backend errors.

6. **Secrets & backend.** Confirm secrets come from named values backed by Key Vault (not inline), and `set-backend-service` / managed identity is correct.

Output as: (a) the effective inbound→backend→outbound order for the target operation; (b) security and correctness findings ranked by severity, each naming the scope and policy element; (c) the minimal XML changes to fix them; (d) the test call (curl with token/subscription key) to verify each fix.

Use only the policy XML and context I gave you. If a parent scope's policy is missing, ask for it — don't assume `<base />` resolves to something safe.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Most Azure API Management incidents come down to two things engineers misread: the <base /> element and cross-scope ordering. Policies at the global, product, API, and operation scopes are composed, and <base /> is what injects the parent scope’s rules at a specific point. Forget it and the product-level validate-jwt or rate limit silently never runs for that operation. This prompt forces the model to expand <base /> and state the true effective execution order first, so the review reasons about what actually runs rather than what a single file appears to say.

The second high-value move is putting security policies in their correct position. validate-jwt has to run before routing and caching, rate-limit counter-keys have to be stable and per-consumer, and cache-lookup has to vary by auth or one user gets another’s data. By making each of these an explicit, ordered check tied to the scope and element, the prompt surfaces the bypasses that don’t throw errors — the calls that quietly skip a limit or serve a cached authenticated response.

The output keeps you in control: it names the exact scope and policy element for every finding, proposes minimal XML changes, and gives you the concrete test call to confirm the fix. The guardrails block the two changes that most often cause outages or breaches in APIM — weakening token validation to make a call succeed, and inlining secrets that then leak through exported policy or source control.

Related prompts

More Azure with AI prompts & error guides

Browse every Azure with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.