Skip to content

Use base APIM policy element#

Security · API Management · Rule · 2023_06 · Important

Base element for any policy element in a section should be configured.

Description#

Determine the policy evaluation order by placement of the base (<base />) element in each section in the policy definition at each scope.

API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.

The base element inherits the policies configured in that section at the next broader (parent) scope. Otherwise inherited security or other controls may not apply. The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order. However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls. For most cases, unless otherwise specified in the policy reference (such as cors) the base element should be specified as the first element in each section.

A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.

Recommendation#

Consider configuring the base element for any policy element in a section.

Examples#

Configure with Azure template#

To deploy API Management policies that pass this rule:

  • Configure an policy sub-resource.
  • Configure the base element before or after any policy element in a section in properties.value property.

For example an API policy:

Azure Template snippet
{
  "type": "Microsoft.ApiManagement/service/apis/policies",
  "apiVersion": "2021-08-01",
  "name": "[format('{0}/{1}', parameters('name'), 'policy')]",
  "properties": {
    "value": "<policies><inbound><base /><ip-filter action=\"allow\"><address-range from=\"10.1.0.1\" to=\"10.1.0.255\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>",
    "format": "xml"
  },
  "dependsOn": [
    "[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]"
  ],
}

Configure with Bicep#

To deploy API Management policies that pass this rule:

  • Configure an policy sub-resource.
  • Configure the base element before or after any policy element in a section in properties.value property.

For example an API policy:

Azure Bicep snippet
resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
  parent: api
  name: 'policy'
  properties: {
    value: '<policies><inbound><base /><ip-filter action=\"allow\"><address-range from=\"10.1.0.1\" to=\"10.1.0.255\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>'
    format: 'xml'
  }
}

Notes#

The rule only checks against rawxml and xml policy formatted content. Global policies are excluded since they don't benefit from the base element.

Comments