Cequence Bridge is a virtual appliance that acts as a traffic collector and forwarder for the Cequence Unified API Protection (UAP) platform. It sits between your API traffic sources (like API gateways, load balancers, or web servers) and the Cequence UAP platform, collecting API traffic data and securely forwarding it for analysis and protection.

Prerequisites

Before you begin, ensure you have:

Infrastructure Requirements

1. VMware Environment
   • VMware ESXi 6.7 or later
   • VMware vCenter Server access with administrative privileges
   • Ability to deploy OVA (Open Virtualization Appliance) templates
2. Hardware Resources
   • CPU: 2 vCPUs (x86_64 architecture)
   • Memory: 4 GB RAM minimum
   • Storage: 8 GB SSD or better storage
   • Network: Access to both your internal network and the Cequence UAP platform
3. Cequence UAP Platform
   • A fully operational Cequence UAP platform deployment
   • Access to the UAP management portal
   • Administrative privileges to create client credentials

Network Requirements

Based on the configuration, you'll need to ensure the following network connectivity:

Required Ports and Connectivity

1. Outbound from Bridge to Cequence UAP:
   • Port 443 (HTTPS): For authentication and API communication with the UAP platform
   • Destination: Your Cequence UAP subdomain (e.g., auth.cqai.yourdomain.com)
2. Inbound to Bridge:
   • Port 9443: For receiving traffic from your API sources (Cequence Sensors, API gateways, etc.)
   • Protocol: HTTP/HTTPS
   • Sources: Your API traffic sources that will send data to the Bridge
3. DNS Resolution:
   • The Bridge must be able to resolve your Cequence UAP subdomain
   • Ensure your DNS settings allow resolution of *.yourdomain.com where your UAP platform is hosted

Resource Sizing Guidelines

Choose the appropriate resource allocation based on your expected traffic volume:

For 100-500 Requests Per Second (RPS)

• CPU Limits: 500m (0.5 CPU cores)
• CPU Requested: 200m (0.2 CPU cores)
• Memory Limits: 800Mi (~838 MB)
• Memory Requested: 300Mi (~314 MB)

For Up to 1000 RPS

• CPU Limits: 1 CPU core
• CPU Requested: 500m (0.5 CPU cores)
• Memory Limits: 2Gi (2 GB)
• Memory Requested: 1Gi (1 GB)

Step 1: Download and Deploy the Bridge OVA

1.1 Download the Bridge OVA

1. Log into the Cequence customer portal
2. Navigate to the downloads section
3. Download the latest version of the Cequence Bridge OVA file
4. Save it to a location accessible from your vCenter environment

1.2 Deploy the OVA in VMware

1. Open vSphere Client
   • Launch the vSphere HTML5 Client
   • Connect to your vCenter Server
2. Navigate to Deployment Location
   • In the vSphere Client, navigate to the datacenter, cluster, or host where you want to deploy the Bridge
   • Right-click on your target location
3. Start OVA Deployment
   • Click Actions → Deploy OVF Template
   • The Deploy OVF Template wizard will open
4. Select the OVA File
   • Click Browse and locate the downloaded Bridge OVA file
   • Select the file and click Next
5. Review Template Details
   • Carefully review the OVF template details displayed
   • Verify the product name, version, and vendor information
   • Click Next to continue
6. Configure VM Settings
   • Name: Enter a descriptive name for the virtual machine (e.g., "Cequence-Bridge-Prod")
   • Location: Choose the folder or datacenter location
   • Click Next
7. Select Compute Resource
   • Choose the appropriate host, cluster, or resource pool
   • Ensure the selected resource has sufficient CPU and memory
   • Click Next
8. Review Storage
   • Select the datastore with at least 8 GB of available space
   • Choose the virtual disk format (Thick Provision Lazy Zeroed is recommended for production)
   • Click Next
9. Configure Networks
   • Map the VM networks to your appropriate network port groups
   • Ensure the network has access to both your internal API sources and the Cequence UAP platform
   • Click Next
10. Complete Deployment
    • Review all configuration settings
    • Click Finish to begin the deployment

1.3 Power On and Verify

1. Monitor Deployment Progress
   • Watch the deployment progress in the vSphere Client
   • This process typically takes 5-10 minutes depending on your environment
2. Power On the VM
   • Once deployment completes, right-click on the new VM
   • Select Power → Power On
3. Verify Network Connectivity
   • Check that the VM has received an IP address
   • Ensure it can reach your Cequence UAP platform domain

Step 2: Create Authentication Credentials

The Bridge needs to authenticate with the Cequence UAP platform to send traffic data. This requires creating a client ID and secret.

2.1 Access the UAP Management Portal

1. Open your web browser and navigate to your UAP management portal
   • URL format: https://ui.<your-tenant-name>.<domain>
   • Replace <your-tenant-name> with your organization's tenant name
   • Replace <domain> with your domain (e.g., cequence.ai)
2. Log in with your administrative credentials

2.2 Create Client Credentials

1. Navigate to User Management
   • In the UAP portal, go to General Settings → User Management
   • The User Management page will open
2. Access the Clients Tab
   • Click on the Clients tab
   • This shows existing API clients
3. Create New Client
   • Click Add New Client
   • A dialog box will appear
4. Configure Client Settings
   • Client Name: Enter a descriptive name (e.g., "Bridge-Production")
     • Note: This name becomes your Client ID - write it down
   • Traffic Management: Enable this toggle (this is required for Bridge functionality)
   • Token Lifespan: Leave at default (1800 seconds) unless you have specific requirements
5. Save and Capture Credentials
   • Click Save
   • A dialog will appear showing your Client Secret
   • IMPORTANT: Click the blue Copy icon to copy the secret to your clipboard
   • Save this secret immediately - it will not be shown again for security reasons
   • Click Close

2.3 Record Your Credentials

Write down the following information - you'll need it for configuration:

• Client ID: The client name you created
• Client Secret: The secret you copied (keep this secure)
• UAP Subdomain: Your full UAP subdomain (e.g., cqai.yourdomain.com)

Step 3: Configure and Test Bridge Connectivity

3.1 Set Up Environment Variables

For easier configuration, set up these environment variables on your management workstation:

export UAP_SUBDOMAIN=cqai.yourdomain.com
export CLIENT_ID=your-client-name
export CLIENT_SECRET=your-client-secret

Replace the values with your actual credentials from Step 2.

3.2 Test Authentication

Before configuring traffic sources, verify that your Bridge can authenticate with the UAP platform:

curl -k -v -o /dev/null \
  --location "https://auth.${UAP_SUBDOMAIN}/auth/realms/cequence/protocol/openid-connect/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials"

Expected Result: You should see a 200 OK response. If you get an error, verify:

• Your credentials are correct
• The UAP subdomain is reachable
• Network connectivity is properly configured

Step 4: Configure Traffic Sources

The Bridge can receive traffic from multiple sources. The most common configuration is HTTP-based traffic from API gateways or Cequence Sensors.

4.1 Understanding Traffic Source Configuration

The Bridge supports two main protocols:

• HTTP: For receiving traffic from API gateways, load balancers, or Cequence Sensors
• F5 HSL (High-Speed Logging): For F5 BIG-IP environments

4.2 HTTP Traffic Configuration

For most deployments, you'll use HTTP configuration. Here's the configuration template:

cequenceBridge:
  config:
    reader:
      type: "http"
      server:
        port: "9443"
    logging:
      output: "file"
      level: "info"
    apiEndpoint:
      uapSubdomain: <UAP_SUB_DOMAIN>
      auth:
        clientId: <clientID>
        clientSecret: <clientSecret>
  service:
    port: "9443"
    targetPort: "9443"
    scheme: http
  ingress:
    enabled: true
    className: "nginx"
    hosts:
      - host: bridge.<UAP_SUB_DOMAIN>
        paths:
          - path: /
            pathType: Prefix
    tls:
      - hosts:
          - bridge.<UAP_SUB_DOMAIN>
        secretName: bridge-tls-secret

4.3 Configure Your Traffic Sources

To send traffic to the Bridge, configure your API sources (gateways, load balancers, or Cequence Sensors) to send HTTP requests to:

• URL: http://<bridge-ip>:9443/api-transactions
• Method: POST
• Content-Type: application/json
• Body: JSON-formatted API transaction data

Step 5: Verify Installation

5.1 Check Bridge Status

After configuration, verify the Bridge is running correctly:

1. Check VM Status: Ensure the Bridge VM is powered on and running
2. Network Connectivity: Verify the Bridge can reach your UAP platform
3. Port Accessibility: Ensure port 9443 is accessible from your traffic sources

5.2 Verify Data Flow

1. Send Test Traffic
   • Configure one of your API sources to send traffic to the Bridge
   • Generate some API requests through your normal application flow
2. Check UAP Platform
   • Log into your Cequence UAP management portal
   • Navigate to Threat Detection → Sitemap Discovery
   • Verify that API requests are appearing in the platform
3. Monitor Bridge URL
   • A successful Bridge installation will show traffic being received at:
   • https://cequence-bridge-app-<NAME>.azurecontainerapps.io/api-transactions
   • (The <NAME> portion is auto-generated by the deployment process)

Troubleshooting Common Issues

Authentication Failures

• Verify client ID and secret are correct
• Check that the UAP subdomain is reachable
• Ensure the client has "Traffic Management" enabled

Network Connectivity Issues

• Verify port 9443 is open and accessible
• Check DNS resolution for your UAP subdomain
• Confirm firewall rules allow the required traffic

No Data Appearing in UAP

• Verify traffic sources are correctly configured to send to the Bridge
• Check that the JSON format of sent data is correct
• Ensure the Bridge VM has sufficient resources

Next Steps

After successful installation, consider:

1. Monitoring: Set up monitoring for the Bridge VM's performance and availability
2. High Availability: For production environments, consider deploying multiple Bridge instances
3. Security: Ensure all communications are properly secured and monitored
4. Documentation: Document your specific configuration for future reference

For advanced configuration options and detailed troubleshooting, refer to the complete Cequence documentation available in your UAP platform.