Star on GitHub Get Started Free
Get Started Free Star on GitHub

Policies

Estimated reading time: 3 minutes

Policies are operational controls that govern how communication happens between connected entities. While guardrails focus on content, policies focus on mechanics: rate limits, geographic restrictions, volume caps, and time-based access.

Available policy types

Rate limiting

Control the number of requests per time window for a connection.

  • Per-minute limits: Prevent burst traffic from overwhelming a server
  • Per-hour limits: Cap sustained usage over longer periods
  • Per-day limits: Set daily usage quotas

Rate limits are applied per connection. Different callers can have different limits to the same server.

Geographic restrictions

Restrict connections based on the geographic origin of requests.

  • Allow list: Only accept requests from specified regions
  • Block list: Block requests from specified regions

This is useful for compliance with data residency requirements or for limiting exposure to specific markets.

Volume caps

Set absolute limits on the total number of requests over a period.

  • Daily volume: Maximum requests per 24-hour period
  • Monthly volume: Maximum requests per billing cycle

When a volume cap is reached, subsequent requests are rejected until the next period.

Time-based access

Restrict when connections are active.

  • Business hours: Only allow requests during specified hours (e.g., 9 AM to 6 PM UTC)
  • Maintenance windows: Temporarily disable connections during planned maintenance
  • Scheduled access: Allow connections only on specific days of the week

IP allowlists

Restrict connections to requests originating from known IP addresses or CIDR ranges.

  • Specify individual IPs or IP ranges
  • Requests from unlisted IPs are rejected

Configuring policies

Policies are set per connection, per direction, similar to guardrails:

Client-side policies

  • Outgoing requests: Rate limits on how often the client can call the server
  • Incoming responses: Rarely used, but can cap response frequency

Server-side policies

  • Incoming requests: Rate limits and access controls on what the server accepts
  • Outgoing responses: Volume caps on data returned

Policy evaluation

When a request arrives, policies are evaluated in this order:

  1. IP allowlist: Is the request from an approved IP?
  2. Geographic restriction: Is the request from an approved region?
  3. Time-based access: Is the connection active right now?
  4. Rate limit: Is the caller within their rate limit?
  5. Volume cap: Is the connection within its volume cap?

If any check fails, the request is rejected with an appropriate error code. Guardrails are evaluated after all policy checks pass.

Policies vs guardrails

Use policies for operational boundaries and guardrails for content control. Together, they provide comprehensive security:

  • Policies prevent abuse at the infrastructure level (DDoS, runaway loops, unauthorized regions)
  • Guardrails prevent misuse at the content level (data leakage, prohibited actions, sensitive information)

Next steps