The Cloudflare content delivery network (CDN) integrates with Cequence ASP to prevent account takeovers, API-based business logic abuse, and to analyze API transactions.
Cequence API Security Platform (Cequence ASP) uses an ML-based approach to eliminate avenues of fraud caused by automated attackstargeted at web, mobile and API based applications. This document focuses on the SaaS-based Cequence ASP solution which significantly reduces deployment overhead. On-premises Cequence ASP solutions are also available.
Synopsis
All application traffic that terminates on Cloudflare is routed to Cequence ASP for inspection before it is forwarded to the application origin
Traffic flow without Cequence ASP
The integration reconfigures application traffic flow to have the Cequence Unified API Protection (UAP) platform in the line of traffic from Cloudflare to Application Origin. Data masking is provided by the Cequence Bridge component. Traffic from Cloudflare goes to the Cequence Bridge for masking before being sent to the Cequence UAP platform.
Traffic flow with Cequence Bridge and Cequence UAP
Use Case
To help understand configuration and setup steps required, this document uses a 'use case' to illustrate successful integration of the Cequence Application Security Platform with the Cloudflare CDN.
- Website Hostname: www.cq-route.com
- Application Origin Hostname: origin-www.cq-route.com
The image below indicates the typical DNS-based implementation for routing traffic for www.cq-route.com using Cloudflare.
Implement Cloudflare Load Balancer for Cequence
Cequence recommends using the Cloudflare Load Balancing feature to deploy Cequence in the line of application traffic and help implement critical high availability functions.
Go to Traffic > Load Balancing > Create Load Balancer
Step 1: Create Load Balancer
Define the DNS-based load balancer hostname. This hostname will be used by Cloudflare to go forward to and fetch content from the application origin.
In our example, we define the hostname as origin-www-lb.cq-route.com
Step 2: Configure Origin Pools
Create two Origin Pools for the Load Balancer to steer traffic to: One for Cequence and the second for the Application Origin.
Configure Origin Pool for Cequence. The Origin Address in this case will be the unique Cequence hostname provided by the Cequence Account Team.
Configure Origin Pool for the Application Origin. The Origin Address in this case will be the application origin hostname.
Here is how the Origin Pools Summary will appear after the two origin pools have been configured. Ensure to select Application Origin as the Fallback Pool as shown below.
Step 3: Create Health Monitors
A monitor issues health checks at regular intervals to evaluate the health of an origin pool. When a pool becomes unhealthy, the Cloudflare load balancer takes that pool out of the server rotation.
In the unlikely event of the Cequence Platform becoming unavailable, the monitor helps trigger a fail-open and lets Cloudflare completely bypass Cequence and route traffic instead directly to the Application Origin ensuring site uptime and availability.
Create a monitor for Cequence as shown below. Please verify the Monitor Path for your application with the Cequence Account Team.
Similarly, create a monitor for Application Origin. The monitor below is a reference for our use case.
After the monitors are successfully set up, the Health column on the Origin Pools summary page will show Healthy as shown below. Note the order of the Origin Pools. Since we are setting up the Load Balancer in the Fail-Over mode, Cequence should always be at Order # 1.
Step 4: Configure Traffic Steering Policy
Cloudflare, by default, routes to Origin Pools in the failover order listed. Ensure Traffic Steering Policy is turned off to ensure the failover policy stays intact.
Step 5: Deploy the Load Balancer
Save and Deploy the Load Balancer configuration. Deployed Load Balancer Summary:
Step 6: Update DNS record with Load Balancer hostname
This step deploys the application in production with Cequence in the line of traffic to the application origin. Replace the DNS CNAME target for www.cq-route.com to that of the new Load Balancer created hostname to deploy the site behind the Cloudflare load balancer in production.
Original DNS CNAME target for www.cq-route.com pointing to origin-www.cq-route.com
Updated DNS CNAME target for www.cq-route.combelow, replaced with load balancer created hostname of origin-www-lb.cq-route.com
Results
The following images illustrate the Cequence ASP platform processing traffic for an application configured with Cloudflare:
Appendix
A: Cequence inline without Cloudflare Load Balancer
Cequence can technically be deployed inline without using the Cloudflare Load Balancer. This can be achieved by updating the DNS CNAME target for the application and replacing it with the Cequence hostname. However, the advanced traffic management functions and the control offered by the Cloudflare Load Balancer make it the recommended integration architecture option.
B: Pool Unhealthy
In the event of the Cequence origin pool becoming unhealthy, Cloudflare Load Balancer will mark the Pool Health as Critical / Unhealthy and bypass Cequence altogether; to route traffic directly to the Origin Pool next in order i.e. Application-Origin.
C: Force Cequence Out of Line
For troubleshooting the application or any other reason, if Cequence needs to be taken out of the line of traffic, Cloudflare Load Balancer provides the ability to disable the specific Origin Pool without removing it completely from the configuration.
D: Preserve End-User IP at Application Origin
Cloudflare can be configured to add a True-Client-IP request header to capture the end-user IP address at the Origin. This feature is available in the Cloudflare Enterprise plan.
E: Cequence behind Cloudflare IP Ranges
Cequence will set to Allow the Cloudflare IP Ranges listed at https://www.cloudflare.com/ips/as the definitive list of connecting IPs to accept traffic from. All non-Cloudflare traffic attempting to connect to Cequence will result in connection failure.