Set Response Header With remaining-calls Azure API Management

Question

I'm using Azure API Management with some rate limiting based on subscription. I need to send to the user in the response headers the number of remaining calls. I know that I should set some values in the outbound policy but I do not know how to do it exactly. This is my policy XML if any one can help.

<policies>
    <inbound>
        <base />
        <set-variable name="remainingCalls" value="remaining-calls-variable-name" />
        <quota-by-key calls="5" renewal-period="86400" counter-key="@(context.Subscription?.Key ?? "anonymous")" increment-condition="@(context.Response.StatusCode >= 200 && context.Response.StatusCode < 300)" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
        <set-header name="remainingCalls" exists-action="append">
        <value>@(context.Response.Headers.GetValueOrDefault("remaining-calls-header-name","2"))</value>
    </set-header>
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Islam · Accepted Answer · 2023-05-30T07:47:46.920

I've contacted Microsoft Azure support for this request and they were able to guid me to a possible workaround that may be helpful. In my particular use case it is good solution. For quota policy and as mentioned by @Venkatesh-MAT it is not supported to retrieve remaining quota information in response header as rate-limit policy. However there is a separate REST API for this purpose. This is documentation for the same https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/quota-by-counter-keys/list-by-service.

The API in this documentation requires bearer token as authentication. To be able to generate the bearer token you can simply use azure cli to get token for the resource using command az account get-access-token --resource https://management.azure.com or if you need to do it programmatically you have to follow below steps:

Set principle role using azure cli with subscription scope to create service principle that have access on this resource scope (az ad sp create-for-rbac -n "principle-1" --role contributor –scopes /subscriptions/{subscriptionID}/resourceGroups/{resourcegroup}/providers/Microsoft.ApiManagement/service/{API management Service name} /quotas/{subscription key})
Use Client ID, client secret & tenant ID generated from above step to call this API https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token with body type x-www-form-urlencoded and body key value as below

KEY: grant_type VALUE: client_credentials

KEY: client_id VALUE: appid generated from step number 1

KEY: scope VALUE: https://management.azure.com/.default

KEY: client_secret VALUE: password generated from step number 1

Then use the output access token to get quota policy consumption.

score 0 · Answer 2 · answered Jan 18 '22 at 05:22

0

As per the Azure Documentation, You can set rate-limit by subscription only in inbound section & the policy scope should be either product, api or operation.

Here is the sample example, where the per subscription rate limit is 30 calls per 90 seconds. After each policy execution, the remaining calls allowed in the time period are stored in the variable remainingCallsPerSubscription.

<policies>
    <inbound>
        <base />
        <rate-limit calls="30" renewal-period="90" remaining-calls-variable-name="remainingCallsPerSubscription"/>
    </inbound>
    <outbound>
        <base />
    </outbound>
</policies>

Note: This policy can be used only once per policy document.

Policy expressions cannot be used in any of the policy attributes for this policy.

answered Jan 18 '22 at 05:22

VenkateshDodda

4,723
1
3
12

Actually I need to use quota instead of rate limit. I need longer renewal periods, something like 1 month. So is there any way to retrieve the remaining calls and reset time using quota-by-key? – Islam Jan 18 '22 at 20:59
As mentioned in the [documentation](https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#SetUsageQuotaByKey),renewal periods should be mentioned in seconds & using quota-by-key policy we can get maximum total number of calls allowed during the time interval specified in the renewal-period. – VenkateshDodda Jan 19 '22 at 10:35
So is there any way to retrieve remaining quota while using quota-by-key? – Islam Jan 19 '22 at 12:18
Based on my understanding, we dont any attribute related to remaining quota If we are using quota-by-key policy & it dont is possible. – VenkateshDodda Jan 19 '22 at 12:40
@Islam - If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank you – VenkateshDodda Jan 20 '22 at 09:33
1

Actually I've contacted Azure support. And I think I got what I wanted. There is a REST API to get the quota consumption. This is the API documentation for the same https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/quota-by-counter-keys/list-by-service. This REST API used for quota policy only. I will add this as an answer. – Islam Jan 20 '22 at 22:00

Set Response Header With remaining-calls Azure API Management

2 Answers2