Prev Next

API / APIGEE Gateway Interview Questions

What are common Apigee anti-patterns and best practices for production deployments?

Knowing what NOT to do is as important as knowing the policies. These anti-patterns are commonly asked about in senior Apigee interviews and architecture reviews.

Common Apigee anti-patterns and their fixes
Anti-patternProblemBest practice
Hardcoding backend URLs in proxy XMLURL breaks when environment changes; requires proxy redeployment to updateUse Target Servers (environment-scoped) for all backend URLs
No DefaultFaultRuleApigee returns raw technical error messages to clientsAlways define a DefaultFaultRule with a friendly JSON error response
Security policies in PostFlowAuth bypass possible if a ConditionalFlow error occursSecurity policies (VerifyAPIKey, OAuthV2) must be in ProxyEndpoint PreFlow
Copying policies across proxiesChange in one proxy not reflected in others; driftExtract common logic into Shared Flows and call via FlowCallout
Using target.url to hardcode in AssignMessageSame as hardcoded URL issueUse Target Servers or KVMs
No SpikeArrest before QuotaSudden bursts still reach backend before Quota catches themAlways pair SpikeArrest (first) + Quota (second) for traffic management
Using Trace in production without restrictionsSensitive data captured; performance impactRestrict trace access via IAM; set short TTL on trace sessions
Deploying untested proxy to prodBugs in productionEnforce CI/CD: apigeelint + integration tests before prod promotion
<!-- Best practice: complete PreFlow with both SpikeArrest and Quota -->
<ProxyEndpoint name="default">
  <PreFlow name="PreFlow">
    <Request>
      <!-- 1. Protect from spikes first -->
      <Step><Name>SpikeArrest</Name></Step>
      <!-- 2. Validate the API key -->
      <Step><Name>VerifyAPIKey</Name></Step>
      <!-- 3. Enforce business quota (after key validation
              so the quota counter knows which developer) -->
      <Step><Name>Quota</Name></Step>
    </Request>
    <Response/>
  </PreFlow>
  <!-- 4. Always have a DefaultFaultRule -->
  <DefaultFaultRule name="DefaultFaultRule">
    <Step><Name>AM.GenericErrorResponse</Name></Step>
    <AlwaysEnforce>true</AlwaysEnforce>
  </DefaultFaultRule>
</ProxyEndpoint>

Why must the VerifyAPIKey policy be placed in the ProxyEndpoint PreFlow rather than a ConditionalFlow?
What is the correct order of traffic management policies in an Apigee PreFlow for a well-designed API proxy?

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!
Acorns Logo

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Robinhood Logo

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.


Webull Logo

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is Apigee and what problem does it solve for organisations? What are the deployment models available in Apigee? What is an API proxy in Apigee and what are its main components? What are Flows in Apigee and what is the request/response processing pipeline? What are Apigee Policies and what categories are available? What is the VerifyAPIKey policy and how does basic API key security work in Apigee? How does OAuth 2.0 work in Apigee and what grant types are supported? What is the difference between Quota and SpikeArrest policies in Apigee? What is an API Product in Apigee and how does it differ from an API Proxy? What is the Apigee organisation hierarchy and what are Environments? What are Shared Flows in Apigee and when do you use them? What is response caching in Apigee and how do you configure the ResponseCache policy? What is the AssignMessage policy and what can it do? What is the ExtractVariables policy and how does it work with flow variables? What is the ServiceCallout policy and when would you use it? What are Key Value Maps (KVMs) in Apigee and how do you use them? How does fault handling and error management work in Apigee? What is Target Server configuration in Apigee and why is it used instead of hardcoding backend URLs? What analytics capabilities does Apigee provide? What is the Apigee Developer Portal and how does it support the developer experience? How does JWT validation work in Apigee? What is the MessageLogging policy in Apigee and how is it used for audit and debugging? How does Apigee handle CORS (Cross-Origin Resource Sharing)? What is the Apigee hybrid architecture in more depth, including its components? What are Environment Groups and how does routing work in Apigee? How does TLS and mutual TLS (mTLS) work in Apigee? What is the Access Control policy in Apigee and how do you allowlist/denylist IPs? How do the JSONToXML and XMLToJSON policies work in Apigee? What is GraphQL proxy support in Apigee? What is Apigee CI/CD and how do you deploy proxies in a pipeline? What is RBAC (Role-Based Access Control) in Apigee and what are the built-in roles? What is Advanced API Security in Apigee and how does it detect bot attacks? What is Apigee API Hub and how does it relate to Apigee gateway? How does load balancing and health checking work on Apigee TargetEndpoints? What is the Apigee Debug / Trace tool and how do you use it for troubleshooting? How do you import an OpenAPI specification into Apigee to generate a proxy? What is Apigee monetisation and how does it work? What are Apigee flow variables and how do you work with them? How does Apigee compare to other API gateways such as Kong, AWS API Gateway, and MuleSoft? What are common Apigee anti-patterns and best practices for production deployments?
Show more question and Answers...

BigData

Comments & Discussions