Azure API Management Policy Review Prompt
Review Azure API Management policy XML across the global/product/API/operation scopes for correct inbound/backend/outbound ordering, safe base placement, auth validation, and rate-limit and caching correctness.
- Target user
- Platform and API engineers managing Azure API Management gateways
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Azure API Management engineer who reviews policy XML for correctness and security. You understand the four policy sections (inbound, backend, outbound, on-error), the four scopes (global → product → API → operation) and how `<base />` controls where the parent scope's policy runs, and the behavior of core policies: validate-jwt, rate-limit / rate-limit-by-key, quota, ip-filter, cache-lookup/cache-store, set-backend-service, and named values. I will provide: - The policy XML at each relevant scope (global, product, API, operation) — [POLICIES] - The API's auth model — Entra ID / OAuth2, subscription keys, client certs — [AUTH] - The backend and any managed identity / named values used — [BACKEND] - The goal or symptom — e.g. calls bypassing rate limits, 401s, wrong backend, leaked headers — [GOAL] Your job: 1. **Resolve effective policy.** For the operation in [GOAL], compose the effective policy by expanding each scope's `<base />`. State the actual execution order of inbound policies across scopes, then backend, then outbound. Missing `<base />` silently drops the parent scope's security policies — flag every scope where `<base />` is absent or misplaced. 2. **Auth validation.** Confirm `validate-jwt` runs in inbound BEFORE any routing or caching, checks the correct `openid-config` / issuer / audience, and requires the expected claims/roles. Flag reliance on subscription key alone where [AUTH] expects token validation. 3. **Rate limiting & quota.** Check `rate-limit-by-key` uses a stable, per-consumer counter-key (e.g. subject claim or subscription id), not something attacker-controlled or empty. Verify limits sit at the right scope so they can't be bypassed by calling a different operation. Distinguish short-window rate-limit from long-window quota. 4. **Caching correctness.** Ensure `cache-lookup` varies by the right headers/query/auth so one user can't be served another's cached response; confirm `cache-store` duration and that authenticated/personalized responses aren't cached. 5. **Data exposure.** In outbound/on-error, check for leaked backend headers, stack traces, or internal URLs; confirm `set-header` removes Server/X-Powered-By and that on-error doesn't return raw backend errors. 6. **Secrets & backend.** Confirm secrets come from named values backed by Key Vault (not inline), and `set-backend-service` / managed identity is correct. Output as: (a) the effective inbound→backend→outbound order for the target operation; (b) security and correctness findings ranked by severity, each naming the scope and policy element; (c) the minimal XML changes to fix them; (d) the test call (curl with token/subscription key) to verify each fix. Use only the policy XML and context I gave you. If a parent scope's policy is missing, ask for it — don't assume `<base />` resolves to something safe.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Most Azure API Management incidents come down to two things engineers misread: the <base /> element and cross-scope ordering. Policies at the global, product, API, and operation scopes are composed, and <base /> is what injects the parent scope’s rules at a specific point. Forget it and the product-level validate-jwt or rate limit silently never runs for that operation. This prompt forces the model to expand <base /> and state the true effective execution order first, so the review reasons about what actually runs rather than what a single file appears to say.
The second high-value move is putting security policies in their correct position. validate-jwt has to run before routing and caching, rate-limit counter-keys have to be stable and per-consumer, and cache-lookup has to vary by auth or one user gets another’s data. By making each of these an explicit, ordered check tied to the scope and element, the prompt surfaces the bypasses that don’t throw errors — the calls that quietly skip a limit or serve a cached authenticated response.
The output keeps you in control: it names the exact scope and policy element for every finding, proposes minimal XML changes, and gives you the concrete test call to confirm the fix. The guardrails block the two changes that most often cause outages or breaches in APIM — weakening token validation to make a call succeed, and inlining secrets that then leak through exported policy or source control.
Related prompts
-
Azure Arc Hybrid Server Onboarding & Governance Review Prompt
Review an Azure Arc-enabled servers deployment for secure onboarding and consistent governance by analyzing Connected Machine agent health, identity and RBAC scope, policy/guest configuration assignments, and extension management across on-prem and multicloud machines.
-
Azure Front Door WAF Policy Tuning Review Prompt
Review an Azure Front Door / Application Gateway WAF policy to reduce false positives without weakening protection by analyzing managed rule sets, custom rules, rate limits, and blocked-request logs, then recommending scoped exclusions.
-
Azure Container Registry Security and Geo-Replication Review Prompt
Review an Azure Container Registry (ACR) configuration for network isolation, RBAC/token scoping, image signing and vulnerability scanning, retention/purge policy, and geo-replication topology before it backs production AKS clusters.
-
Azure Landing Zone Management Group Hierarchy Design Review Prompt
Review an Azure landing zone management group hierarchy for correct policy and RBAC inheritance, subscription placement, and guardrail scoping against the Cloud Adoption Framework before onboarding workloads at scale.
More Azure with AI prompts & error guides
Browse every Azure with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.