@Martin Kallukalam Thanks for reaching out. The <authentication-certificate>
policy you’re using is indeed applied in the inbound section of the API Management policy.
Inbound section: This is where the request first hits the API Management service. At this point, the service can manipulate the request before it gets sent to the backend. This is why the <authentication-certificate>
policy is applied here - it’s at this stage that the certificate is attached to the request.
Backend section: This is where the request is forwarded to the backend service. At this point, the request has already been prepared and is ready to be sent. The backend service then uses the certificate for authentication.
So, while it might seem more logical for the <authentication-certificate>
policy to be in the backend section, it’s actually necessary for it to be in the inbound section so that the certificate can be attached to the request before it’s sent to the backend.
I hope this helps clarify things! do let me know incase of further queries, I would be happy to assist you.