Automated Policies

Configuring and using automated policies enables your Anypoint Platform instance to comply with common security and logging requirements by automatically applying the same set of policies to all APIs running in a single environment. With policy automation, API owners can quickly design, build, and deploy secure and consistent APIs.

With automated policies, API owners can deploy their APIs with confidence because the target environment automatically enforces critical polices. This ensures consistency and reduces possible errors. An administrator no longer needs to remember to insert a policy to enforce common standards manually.

Because best practices are built into the application network, API owners can design, build, and deploy APIs quickly without compromising security.

All of the included policies, and any custom policy can be configured as automated policies and can be configured to be applied at all the API’s running under an environment.

Support for Automated Policies

The following rules apply to automated policies:

  • Automated policies are only available for Mule runtime engine (Mule) 4 APIs using a MuleSoft-hosted control plane.

  • Automated policies support all runtime deployment targets (CloudHub, Runtime Fabric, and Hybrid).

  • Automated policies have priority over the same types of policies already applied to a specific API proxy.

    For example, if an API proxy running Mule 4.1.2 has an IP Allowlist policy to allow only the IP range (from to, and a new IP Allowlist automated policy is created to only allow the IP range (from to and is applied to all supported Mule versions (4.1.1 and above), then this latter automated policy prevails.

    Note that in the above example, the IP range changed when the automated policy was applied.

    Additionally, if there is an automated policy already applied, you cannot apply that specific type of policy as a provided policy in a specific API proxy.

  • As an administrator, you can apply policies specific to external identity providers (IdPs, such as OpenID) if the environment to which you want to apply policies includes them.

    The policy is then enforced only on those APIs that have the same IdPs configured. For example, if you apply the PingFederate Access Token Enforcement policy, the policy is enforced on only those APIs that are configured to use PingFederate as the IdP.

Alerts cannot be added to API instances protected by automated policies.

Was this article helpful? Thanks for your feedback!
View on GitHub