This document outlines the official procedure for deploying the Cequence Bridge virtual appliance within your VMware ESXi environment. Bridge serves as an integral component within the comprehensive Cequence Unified API Protection (UAP) platform, safeguarding your critical APIs.

Prerequisites

• Pre-deployed Cequence UAP platform: Ensure your Cequence UAP platform is fully operational. Refer to the Cequence documentation for specific deployment instructions.
• VMware Compatibility: The target environment must be a VMware ESXi 6.7 or later system.
• vCenter Access: You must possess authorized access to the VMware vCenter Management Console.
• OVA Management Capabilities: The ability to upload and launch OVA templates through vCenter is required.
• Hardware Resources: Allocate sufficient resources for optimal performance: 2 vCPUs (x86_64 architecture), 4 GB RAM, and 8 GB SSD or better storage.

Deploying the Cequence Bridge OVA

1. Access the Cequence portal and download the latest available version of the Bridge OVA here Download Bridge OVA
2. Log in to the vSphere HTML5 Client.
3. Navigate to the target host or cluster for deployment within the vSphere interface.
4. Click Actions > Deploy OVF Template.
5. Browse and locate the downloaded Bridge OVA file.
6. Carefully review and confirm all displayed OVF template details for accuracy.
7. Assign a descriptive name and deployment location for the virtual machine.
8. Choose the appropriate deployment configuration based on your specific environment's needs.
9. Review and finalize any necessary configuration adjustments before proceeding.
10. Click Finish to begin the deployment process.
11. Use the vSphere HTML5 Client to track the deployment progress in real-time.
12. Once complete, power on the newly deployed virtual machine.

Generating a client ID and client secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

1. Log in to the UAP management portal UI.
   The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
2. Select General Settings > User Management.
   The User Management pane appears.
3. Click the Clients tab.
4. Click Add New Client.
   The new client dialog box appears.
5. Type the client name in the Client Name field.
   This name is the client ID. Note the client ID for later use.
6. Enable the Traffic Ingestion toggle.
7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
8. Click Save.
   A dialog box with the client secret appears.
9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
   The client is now set up. Note the client name for future use.
   The client list appears.
10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

SSH to the Defender Virtual Machine

username: cq-user
password: apiprotection

Setup

• Collect and note down the following and set them as environment variables for future reference:
  • cqai.yourdomain.com: your subdomain used in the DNS for CQAI
  • upstream.apiserver.com:  your api upstream server
  • client-id: "Client Name" created in the previous step
  • client-secret: "Client Secret" created in the previous step

UAP_SUBDOMAIN=<cqai.yourdomain.com>
UPSTREAM_SERVER=<upstream.apiserver.com>
CLIENT_ID=<client-id>
CLIENT_SECRET=<client-secret>

• Test connectivity with CQAI: Successful execution of the curl returns HTTP request with 200 OK.

curl -k -v -o /dev/null \
  --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials"

Note: For advanced configuration options and detailed troubleshooting procedures, please refer to the in-product Cequence documentation.

Connecting Traffic Sources to Cequence Bridge

The Cequence Bridge can connect to multiple traffic sources. The Cequence Bridge currently supports the HTTP and F5 High-Speed Logging (HSL) protocols.

When you connect an HTTP traffic sources to the Cequence Bridge, including Cequence Sensor or any API gateway integration, configure the HTTP configuration as shown below.

When you connect the F5 HSL traffic source, configure the F5 HSL for use with the Cequence Bridge.

HTTP traffic configuration for the Cequence Bridge

cequenceBridge:
  config:
    reader:
      type: "http"
      server:
        port: "9443"
    logging:
      output: "file"
      level: "info"
    apiEndpoint:
      uapSubdomain: <UAP_SUB_DOMAIN>
      auth:
        clientId: <clientID>
        clientSecret: <clientSecret>

service:
  port: "9443"
  targetPort: "9443"
  scheme: http

ingress:
  enabled: true
  className: "nginx"
  hosts:
    - host: bridge.<UAP_SUB_DOMAIN>
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - bridge.<UAP_SUB_DOMAIN>
      secretName: bridge-tls-secret

Verification

Once the Defender is successfully onboarded, on the Cequence UAP portal, navigate to System Diagnostics and scroll to the bottom of the page to list the Defender instances.

The newly added Defender can be identified as defender-<machine-id>, where machine-id is the virtual machine's unique identifier located in /etc/machine-id of the Defender Virtual Machine.

A successful installation of Cequence Bridge produces the following output.

url = "https://cequence-bridge-app-<NAME>.azurecontainerapps.io/api-transactions"

Note that the "NAME" attribute in the URL above is auto-assigned by Terraform, not configured by any configuration listed on this page.

Traffic sent to the above URL with the appropriate JSON body is visible in the Cequence UAP. Browse to the Sitemap Discovery page under "Threat Detection" to see if the requests you are sending via Cequence Bridge are making it to the UAP Platform.

Sizing Requirements

100-500 RPS

Resources:

CPU Limits: 500m

CPU Requested: 200m

Memory Limits: 800Mi

Memory Requested: 300Mi

Up to 1000 RPS

Resources:

CPU Limits: 1

CPU Requested: 500m

Memory Limits: 2Gi

Memory Requested: 1Gi

Next Steps

• Unified API Protection Lab 101