API Management (1 / 25): You establish an API Management (APIM) gateway and incorporate an existing App Services API app within it. Your goal is to limit each client application to a maximum of 1000 calls to the API on an hourly basis.". Which policies could achieve this requirement?
Answer:
To enforce a per-client limit of 1000 API calls per hour, a combination of rate-limit-by-key and quota-by-key policies is required:
rate-limit-by-key is used to control short-term bursts. However, this policy has a maximum renewal period of 300 seconds (5 minutes). To approximate an hourly rate, the hour is divided into 12 intervals. By allowing 80 calls per 5 minutes, the effective cap becomes 960 calls per hour, which satisfies the requirement of not exceeding 1000 calls/hour.
quota-by-key sets a hard cap on total usage. This policy allows a minimum renewal period of 300 seconds, so setting it to 1000 calls per 3600 seconds (1 hour) provides a strict upper boundary per client.
counter-key is required if you want the policy to apply per client (e.g., per subscription, per user, per IP). If you omit counter-key, the policy applies globally to all clients combined, which is rarely useful for rate-limiting or quotas in multi-tenant APIs.
Together, these policies ensure both rate smoothing and strict quota enforcement. All other options either violate APIM policy constraints (e.g., invalid renewal periods), omit required keys, or fail to distribute traffic safely within allowed limits.