The Cequence Unified API Protection (UAP) platform can be integrated into an Azure API Gateway environment in several ways depending on the desired outcome and goals.
This document provides a set of steps for passive "capture and forward" by an Azure API Gateway resident script to a Cequence API Edge traffic ingestion API. This script is installed using Azure API Management.
This integration method provides the Cequence UAP platform with transaction information that enables discovery and analysis for Bot Detection and API traffic analysis, including the discovery and analysis of known, unknown, and shadow API traffic, as well as monitoring for sensitive data exposure and potential OWASP API violations.
The previous diagram depicts transactions being captured by one or more Azure API Gateways. After capture, the Cequence API Edge query receives copies of the transaction information and sends the tcopies to the Cequence API Edge traffic ingestion API using POST. The traffic ingestion API forwards the transaction information to the UAP platform control plane for analysis. After the initial capture, the application data stream is handled in the same manner as transactions captured by Cequence Defender or Cequence Sensor.
Prerequisites
Before deploying this integration, verify that your Azure environment meets the following requirements.
- Azure API Management User Interface must have access to the in-flow Azure API Gateway.
- VPC and Virtual Network administrative rights to configure Access Control Lists, Ingress, and Egress to enable POST requests and responses for authentication, traffic ingestion API queries, and, optionally, access to the UAP user interface.
- The ability to inject an XML action script for forwarding API transactions for the monitored application through Cequence API queries.
Also verify that your UAP platform environment meets the following requirements.
- An API client created through the UAP platform's Cequence Management Interface.
- Cluster Ingress and Egress rules modified to enable authentication and traffic ingestion queries.
- Optionally, include at least one administrative and test console in the Allow rules. This console enables administrative access to the UAP platform's Cequence Management Interface and the testing and validation of capture and forwarding API requests.
- The exact Cequence UAP platform authentication and API Edge endpoints for your Cequence host. These values are formatted in the following manner:
"auth.<customer_name>.cequence.cloud/" (UAP platform authentication)
Your Cequence Success Team Representative can assist you in determining these values.
"edge.<customer_name>.cequence.cloud/" (API Edge endpoint)
Note: Cequence Bridge uses the same authentication method as API Edge. If your deployment uses Cequence Bridge, you can use the Cequence Bridge URL in any step of this procedure that refers to the API Edge URL. Configuration of traffic filtering and sensitive data masking for the Cequence Bridge is discussed in a separate article.
Creating a Cequence UAP platform API client
The API client uses POST requests to capture transactions for traffic ingestion by the UAP platform's API Edge at the /api_transactions endpoint.
- In the Cequence Management Interface, open General Settings: User Management.
The Add New Client dialog box appears. - In the Client Name field, type a client name.
Client names must be unique. Subsequent authentication requests use this client name. In the APIM Named Values configuration, the value of ceq-client-id is set to match this value. - Enable the Traffic Ingestion toggle.
- In the Token Lifespan field, type a duration in seconds.
In the APIM Named Values configuration, the value of ceq-token-acquisition-timeout is set to match this value. - Click Save.
The UAP platform saves the new client and displays the Clients tab of the User Management page. - Click the eye in the Secret column for the new client.
In the APIM Named Values configuration, the value of ceq-client-secret is set to match this value. Click the copy icon to copy the secret to the clipboard. The eye icon is also available when the client values are being edited. - In the Azure API Management user interface, add the following values.
Name Value ceq-client-id The name of the API client ceq-client-secret' The client secret generated during client creation ceq-ingress-endpoint The Edge endpoint traffic ingestion URL for a single transaction. This URI takes the form
https://edge.<customer_name>.cequence.cloud/api-transaction
ceq-token-acquisition-timeout The connection timeout value configured for the Cequence Traffic Ingestion client. ceq-token-endpoint https://auth.<customer_name>.cequence.cloud/auth/realms/cequence/protocol/openid-connect/token
- In Azure, go to APIs > All APIs or Your API > Design > Backend > Policy and add the outbound section of the shared XML policy.
To monitor all APIs, use All APIs. To monitor individual APIs, use this procedure separately for each API. - Add the Policy Script Snippet to execute on each transaction ( Attached below)
The script connects and authenticates to your UAP platform instance, using the Cequence Auth API endpoint. Once authenticated, the script sends a structured copy of the API transaction, which consists of a request and the response to that request, to your UAP platform instance using the Cequence traffic ingestion endpoint.
The API client is now ready to send data to Cequence.
Validate successful operation by using curl, Postman, or another API client to initiate a call to your server.
A successful response has the HTTP response code 200 and contains {"status": "OK"}" in the response body.
Use the Diagnostics: System Diagnostics page the Cequence Diagnostics to look at the Unknown Traffic pane. The recent API call appears with a POST request and URI.