Adding policy-based capabilities to an API proxy is a two-step process:
Configure an instance of a policy type.
Attach the policy instance to a Flow.
The diagram below shows the relationship between policies and flows. As you can see, a policy
is attached to a flow as a processing step. To configure the desired behavior for your API, you
need to understand a little bit about flows.
(This topic was covered earlier in Configuring flows.)
One type of policy that is commonly used is the SpikeArrest policy. SpikeArrest prevents
sudden increases
in message traffic that might swamp your backend services.
Attaching a policy to a flow
Apigee in Cloud console
To attach a policy to a flow:
Select an API proxy and navigate to the Develop view.
In the left-hand pane, click the + button in the Policies row.
In the Create policy dialog, click in the Select policy type field and
scroll down to Traffic Management and select SpikeArrest.
Optionally, you can change the Display name and Name of the policy.
When you are done, click Create to create the policy.
Now that you have created the Spike Arrest policy, you can attach it to a step in
the PreFlow. To do so, select Proxy Endpoints > default > PreFlow in the
left-hand pane:
Click the + button next to PreFlow in the Response pane
at the bottom-right of the Visual Editor:
In the Add policy step dialog, select the Spike Arrest policy.
Click Add to attach the policy.
The Spike Arrest policy is now displayed in the Response pane:
The following XML code for the proxy is displayed in the text editor:
You can configure a policy by directly editing its XML configuration in the
Code view. For example, the peak message rate for the Spike Arrest policy is
initially set to 30 messages per second. You can change the peak rate by changing the
<Rate> element value in the XML for the policy. For further details about
configuring policies, see the
Policy reference.
You can also cut-and-paste policies into the Code view. This is a great way
to re-use policies from the samples available on GitHub.
When you make changes to a policy definition in the Code view, the changes
are reflected in the Property Inspector. The reverse is also true — make
changes in the Property Inspector and they appear in the XML in the
Code view.
For documentation specific to the Quota policy used in this topic, see Quota policy.
To use Gemini Code Assist code explain with policies:
While editing the policy in the Code view, highlight part of the policy code,
such as an XML element or attribute. You can also highlight multiple elements.
Click the Gemini Code Assist icon as shown below.
The side panel shows information on the policy and the element you highlighted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis page details the process of adding policy-based capabilities to API proxies in Apigee and Apigee hybrid, which involves configuring policy instances and attaching them to flows.\u003c/p\u003e\n"],["\u003cp\u003eA common policy type is the SpikeArrest policy, used to prevent sudden traffic increases that could overwhelm backend services.\u003c/p\u003e\n"],["\u003cp\u003ePolicies can be attached to flows using either the new Proxy Editor or the classic Proxy Editor, with steps involving selecting the policy type, and choosing the target step within a flow.\u003c/p\u003e\n"],["\u003cp\u003ePolicies can be detached from flows by selecting the flow and removing the policy step through a menu option or by clicking the "X" on the policy icon in the Designer view.\u003c/p\u003e\n"],["\u003cp\u003ePolicy configurations, including XML code modifications, can be made directly in the Code view, or by using the UI, with changes reflected across both views and policy instances can be deleted through the Navigator view.\u003c/p\u003e\n"]]],[],null,["# Attaching and configuring policies in the UI\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nAdding policy-based capabilities to an API proxy is a two-step process:\n\n1. Configure an instance of a policy type.\n2. Attach the policy instance to a Flow.\n\nThe diagram below shows the relationship between policies and flows. As you can see, a policy\nis attached to a flow as a processing *step* . To configure the desired behavior for your API, you\nneed to understand a little bit about flows.\n(This topic was covered earlier in [Configuring flows](/apigee/docs/api-platform/fundamentals/flow-configurations).)\n\nOne type of policy that is commonly used is the [SpikeArrest policy](/apigee/docs/api-platform/reference/policies/spike-arrest-policy). SpikeArrest prevents\nsudden increases\nin message traffic that might swamp your backend services.\n\n### Attaching a policy to a flow\n\n### Apigee in Cloud console\n\nTo attach a policy to a flow:\n\n1. Select an API proxy and navigate to the **Develop** view.\n2. In the left-hand pane, click the **+** button in the **Policies** row.\n3. In the **Create policy** dialog, click in the **Select policy type** field and\n scroll down to **Traffic Management** and select **SpikeArrest**.\n\n4. Optionally, you can change the **Display name** and **Name** of the policy.\n\n When you are done, click **Create** to create the policy.\n5. Now that you have created the **Spike Arrest** policy, you can attach it to a step in the PreFlow. To do so, select **Proxy Endpoints \\\u003e default \\\u003e PreFlow** in the left-hand pane:\n\n6. Click the **+** button next to **PreFlow** in the **Response** pane at the bottom-right of the Visual Editor:\n\n7. In the **Add policy step** dialog, select the **Spike Arrest** policy.\n8. Click **Add** to attach the policy.\n\n The **Spike Arrest** policy is now displayed in the **Response** pane:\n\n The following XML code for the proxy is displayed in the text editor: \n\n ```carbon\n \u003cProxyEndpoint name=\"default\"\u003e\n \u003cPreFlow name=\"PreFlow\"\u003e\n \u003cRequest/\u003e\n \u003cResponse\u003e\n \u003cStep\u003e\u003c\n \u003cName\u003eSA-\u003c/Name\u003e\n \u003c/Step\u003e\n \u003c/Response\u003e\n \u003c/PreFlow\u003e\n \u003cFlows/\u003e\n \u003cPostFlow name=\"PostFlow\"\u003e\n \u003cRequest/\u003e\n \u003cResponse/\u003e\n \u003c/PostFlow\u003e\n \u003cHTTPProxyConnection\u003e\n \u003cBasePath\u003e/myproxy\u003c/BasePath\u003e\n \u003c/HTTPProxyConnection\u003e\n \u003cRouteRule name=\"default\"\u003e\n \u003cTargetEndpoint\u003edefault\u003c/TargetEndpoint\u003e\n \u003c/RouteRule\u003e\n \u003c/ProxyEndpoint\u003e\n \n ```\n\n### Detaching policies from a flow\n\nTo detach a policy from a flow, click the three-dot menu next to the flow and select\n**Delete policy step**\n\n### Classic UI\n\nTo attach a policy to a flow:\n\n1. Select an API proxy and navigate to the **Develop** view.\n2. In the API Proxy Editor, select the flow to which you want to attach a policy in the Navigator pane. \n For example, the PreFlow flow is selected for the default API proxy endpoint in the following figure: \n3. In the Design view, click **+Step** associated with the request or response flow to attach a policy. For example: \n\n The Add Step dialog opens displaying a categorized list of policies. \n4. Scroll and select the policy type that you want to attach to the selected flow.\n5. Modify the following fields.\n -\n\n **Display Name:** Unique display name for the policy. The UI will\n generate a default name, but it is advisable to create a descriptive name for the policy.\n This will ensure that other developers in your organization have an easy time\n understanding what the policy is intended to do.\n -\n\n **Name** : Unique name for the policy. The policy name matches the display\n name with the following exceptions:\n -\n\n Spaces are replaced by dashes.\n -\n\n Consecutive dashes are replaced by a single dash.\n -\n\n Except for dashes, underscores, and spaces (which are replaced, as noted above),\n characters that are not alphanumeric, such as pound signs, percent signs, ampersands,\n and so on, are removed.\n\n6. Click **Add.**\n\n The policy is attached to the selected flow.\n\nAfter the policy is attached, you'll see the policy displayed in the\n**Designer** view for the flow, in this example the PreFlow of the default proxy\nendpoint, and in the **Policies** list in the Navigation pane. The\n**Code** view, which displays the XML for the newly attached policy, displays below\nthe **Designer** view. Apigee generates an instance of the policy that contains a set\nof reasonable default values.\n\n### Adding a policy without attaching it to a flow\n\nTo add a policy without attaching it to a flow, which is useful for [Handling faults](/apigee/docs/api-platform/fundamentals/fault-handling), click **+** in\nthe **Policies** bar in the **Navigator** view to open the **Add\nPolicy** dialog and add the policy (as described in steps 4 through 6 in the previous\nsection).\n\nA policy that is not attached to any flow is flagged with the *detached* icon in the\n**Policies** list, as shown adjacent to the API key message policy shown in the\nprevious figure.\n\nAfter you create the policy, you can attach it to a flow by dragging and dropping it from the\n**Policies** list to the desired flow in the **Designer** view.\n\n### Detaching policies from a flow\n\nTo detach a policy from a Flow, select the Flow. Mouse over the icon for the policy in the\n**Designer** view of the Flow. Click the **X** in the circle that\nappears in the icon.\n\n### Deleting a policy instance\n\nTo delete a policy instance, mouse over the entry for the policy in the\n**Navigator** view. Click the **X** in the circle that appears to the\nright of the entry.\n\nConfiguring policies in the UI\n------------------------------\n\nWhen the UI generates a policy instance, it applies reasonable default values for common\nsettings. You may need to modify these settings to meet your requirements.\nFor example:\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\u003cSpikeArrest async=\"false\" continueOnError=\"false\" enabled=\"true\" name=\"spikearrest-1\"\u003e\n \u003cDisplayName\u003eSpikeArrest-1\u003c/DisplayName\u003e\n \u003cFaultRules/\u003e\n \u003cProperties/\u003e\n \u003cIdentifier ref=\"request.header.some-header-name\"/\u003e\n \u003cMessageWeight ref=\"request.header.weight\"/\u003e\n \u003cRate\u003e30ps\u003c/Rate\u003e\n\u003c/SpikeArrest\u003e\n```\n\nYou can configure a policy by directly editing its XML configuration in the\n**Code** view. For example, the peak message rate for the Spike Arrest policy is\ninitially set to 30 messages per second. You can change the peak rate by changing the\n\\\u003c`Rate`\\\u003e element value in the XML for the policy. For further details about\nconfiguring policies, see the\n[Policy reference](/apigee/docs/api-platform/reference/policies/reference-overview-policy).\n\nYou can also cut-and-paste policies into the **Code** view. This is a great way\nto re-use policies from the samples available on GitHub.\n\nWhen you make changes to a policy definition in the **Code** view, the changes\nare reflected in the **Property Inspector** . The reverse is also true --- make\nchanges in the **Property Inspector** and they appear in the XML in the\n**Code** view.\n\nFor documentation specific to the Quota policy used in this topic, see [Quota policy](/apigee/docs/api-platform/reference/policies/quota-policy).\n\n### Use Gemini Code Assist code explain with policies\n\n|\n| **Preview\n| --- Gemini Code Assist policy code explain**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nIf you have\n[Gemini Code Assist](/apigee/docs/api-platform/get-started/gemini-code-assist),\nyou can use it to understand policies and policy elements directly in the\n[Apigee UI in Cloud console](https://console.cloud.google.com/apigee).\n| **Note:** During *preview* , you do not need to enable or activate the Gemini Code Assist add-on to your project to use code explain. You do need to enable the Gemini for Google Cloud API on your Google Cloud project. See [Enable the Gemini for Google Cloud API in a Google Cloud project](/gemini/docs/discover/set-up-gemini#enable-api).\n\nTo use Gemini Code Assist code explain with policies:\n\n- While editing the policy in the **Code** view, highlight part of the policy code, such as an XML element or attribute. You can also highlight multiple elements.\n- Click the Gemini Code Assist icon as shown below. The side panel shows information on the policy and the element you highlighted. **Alert:** Clicking the Gemini Code Assist icon sends the highlighted text to Gemini in Google Cloud console."]]
