This guide details the steps involved in deploying the Cequence Sensor virtual appliance on the Amazon Web Services (AWS) platform. Sensor operates as an passive component within the broader Cequence Unified API Protection (UAP) platform, safeguarding your APIs from various threats.
Prerequisites
- Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific deployment instructions.
- Enable Traffic Filter on the Cequence UAP platform: Make sure all traffic filters are enabled using the following guide - Enable Traffic Filters.
- AWS Permissions: You must possess the necessary permissions to launch EC2 instances from the AWS Marketplace.
- AWS Marketplace Visibility: Ensure Cequence AMIs are visible within your AWS account. Create a ticket with Cequence if they are not, referencing your AWS Account ID. Create a New Ticket: Enable AWS Marketplace AMI
- Recommended Instance Types: Choose an instance type with sufficient resources, such as t2.medium or better.
- Recommended Storage Types: Utilize gp2 or gp3 storage types for optimal performance.
- Cequence Product Visibility: Submit a request to Cequence to enable visibility of their products within the AWS Marketplace for your account.
Deployment Procedure
Launch Sensor EC2 Instance:
- Access the Amazon EC2 console: https://console.aws.amazon.com/ec2/.
- Click "Launch Instance" on the dashboard.
- Under "Choose an Amazon Machine Image (AMI)," select the "AWS Marketplace" category.
- Search for "Cequence Sensor." If not found, refer to the prerequisites for enabling limited visibility.
- Click "Select" on the desired AMI.
- Review the AMI details and click "Continue."
-
Configure instance details:
- Enter a descriptive name under "Name and tags."
- Choose the appropriate VPC, subnet, and Availability Zone under "Networking."
- Select an existing security group or create a new one using Cequence defaults under "Security Groups."
- Review all configuration settings and click "Launch Instance."
Sensor Setup
Client ID and Secret
- Log in to the Cequence UAP web UI.
- Navigate to User Management, click on "Clients" and then click on "Add New Client"
- Provide a "Client Name", say defender-client-0 and select "Traffic Ingestion". Click "Save".
- Click on the secret icon.
- Dialog box with the Client Secret shows up.
- Hence forth, we will interchangeably refer to "Client Name" as "client-id" and "Client Secret" as "client-secret".
SSH to the virtual machine
SSH to the virtual machine using username ubuntu and ssh private key used during launch
Sensor Config Setup
- Collect and note down the following and set them as environment variables for future reference:
- cqai.yourdomain.com: your subdomain used in the DNS for the Cequence UAP platform
- client-id: "Client Name" created in the previous step
- client-secret: "Client Secret" created in the previous step
- interface-id: The network interface on the sensor box receiving traffic passively ( e.g eth0)
UAP_SUBDOMAIN=<cqai.yourdomain.com> CLIENT_ID=<client-id> CLIENT_SECRET=<client-secret> INTERFACE_ID=<network-interface>
- Test connectivity with the Cequence UAP platform: Successful execution of the curl returns HTTP request with 200 OK.
curl -k -v -o /dev/null \ --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "client_secret=${CLIENT_SECRET}" \ --data-urlencode "grant_type=client_credentials"
- Run setup command with the same parameters:
/opt/cequence/bin/setup.sh \ ${UAP_SUBDOMAIN} \ ${CLIENT_ID} \ ${CLIENT_SECRET} \ ${INTERFACE_ID}
Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.