infra/core/gateway/apim-api-policy.xml

<!-- Policy configuration for the API. Explore other sample policies at https://learn.microsoft.com/en-us/azure/api-management/policies/ -->
<policies>
    <inbound>
        <base />
        <!-- This policy is needed to handle preflight requests using the OPTIONS method. Learn more at https://learn.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies  -->
        <cors allow-credentials="false">
            <allowed-origins>
                <origin>{0}</origin>
            </allowed-origins>
            <allowed-methods>
                <method>PUT</method>
                <method>GET</method>
                <method>POST</method>
                <method>DELETE</method>
                <method>PATCH</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <!-- Optional policy to validate the request content. Learn more at https://learn.microsoft.com/en-us/azure/api-management/validation-policies#validate-content -->
        <validate-content unspecified-content-type-action="ignore" max-size="1024" size-exceeded-action="detect" errors-variable-name="requestBodyValidation">
            <content type="application/json" validate-as="json" action="detect" />
        </validate-content>
        <!-- Optional policy to send custom trace telemetry to Application Insights. Learn more at https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Trace -->
        <trace source="@(context.Api.Name)" severity="verbose">
            <message>Call to the @(context.Api.Name)</message>
            <metadata name="User-Agent" value="@(context.Request.Headers.GetValueOrDefault("User-Agent",""))" />
            <metadata name="Operation Method" value="@(context.Request.Method)" />
            <metadata name="Host" value="@(context.Request.Url.Host)" />
            <metadata name="Path" value="@(context.Request.Url.Path)" />
        </trace>
    </inbound>
    <backend>
        <limit-concurrency key="@(context.Request.IpAddress)" max-count="3">
            <forward-request timeout="120" />
        </limit-concurrency>
    </backend>
    <outbound>
        <base />
        <!-- Optional policy to validate the response headers. Learn more at https://learn.microsoft.com/en-us/azure/api-management/validation-policies#validate-headers -->
        <validate-headers specified-header-action="ignore" unspecified-header-action="ignore" errors-variable-name="responseHeadersValidation" />
        <!-- Optional policy to to send custom metrics to Application Insights. Learn more at https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#emit-metrics -->
        <choose>
            <when condition="@(context.Response.StatusCode >= 200 && context.Response.StatusCode < 300)">
                <emit-metric name="Successful requests" value="1" namespace="apim-metrics">
                    <dimension name="API" value="@(context.Api.Name)" />
                    <dimension name="Client IP" value="@(context.Request.IpAddress)" />
                    <dimension name="Status Code" value="@((String)context.Response.StatusCode.ToString())" />
                    <dimension name="Status Reason" value="@(context.Response.StatusReason)" />
                </emit-metric>
            </when>
            <when condition="@(context.Response.StatusCode >= 400 && context.Response.StatusCode < 600)">
                <emit-metric name="Failed requests" value="1" namespace="apim-metrics">
                    <dimension name="API" value="@(context.Api.Name)" />
                    <dimension name="Client IP" value="@(context.Request.IpAddress)" />
                    <dimension name="Status Code" value="@(context.Response.StatusCode.ToString())" />
                    <dimension name="Status Reason" value="@(context.Response.StatusReason)" />
                    <dimension name="Error Source" value="backend" />
                </emit-metric>
            </when>
        </choose>
    </outbound>
    <on-error>
        <base />
        <!-- Optional policy to handle errors. Learn more at https://learn.microsoft.com/en-us/azure/api-management/api-management-error-handling-policies -->
        <trace source="@(context.Api.Name)" severity="error">
            <message>Failed to process the @(context.Api.Name)</message>
            <metadata name="User-Agent" value="@(context.Request.Headers.GetValueOrDefault("User-Agent",""))" />
            <metadata name="Operation Method" value="@(context.Request.Method)" />
            <metadata name="Host" value="@(context.Request.Url.Host)" />
            <metadata name="Path" value="@(context.Request.Url.Path)" />
            <metadata name="Error Reason" value="@(context.LastError.Reason)" />
            <metadata name="Error Message" value="@(context.LastError.Message)" />
        </trace>
        <emit-metric name="Failed requests" value="1" namespace="apim-metrics">
            <dimension name="API" value="@(context.Api.Name)" />
            <dimension name="Client IP" value="@(context.Request.IpAddress)" />
            <dimension name="Status Code" value="500" />
            <dimension name="Status Reason" value="@(context.LastError.Reason)" />
            <dimension name="Error Source" value="gateway" />
        </emit-metric>
        <!-- Optional policy to hide error details and provide a custom generic message. Learn more at https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ReturnResponse -->
        <return-response>
            <set-status code="500" reason="Internal Server Error" />
            <set-body>We're Sorry. An unexpected error has occurred. If this continues please contact Tech Support.</set-body>
        </return-response>
    </on-error>
</policies>