Skip to main content
Apigee

Search

Apigee X/Hybrid Integration

© 2024 Cequence Security. All Rights Reserved.

Apigee X/Hybrid Integration

  • Updated on
  • ~ minute read
Download PDF

The Apigee shared flow integration enables passive monitoring of API traffic by inserting Cequence code into the Apigee request and response transaction flow. The integration captures transaction metadata without affecting the primary API data flow, forwarding this information asynchronously to the Cequence Unified API Protection (UAP) platform for analysis.

What Apigee provides

Apigee is Google Cloud's API management platform that acts as a gateway between clients and backend services. Apigee processes API requests through a series of handlers at both the ProxyEndpoint and TargetEndpoint, enabling policy enforcement, traffic management, and monitoring capabilities.

What the Cequence integration does

The Cequence UAP shared flow integration inserts monitoring code at strategic points in the Apigee transaction flow. The integration captures request and response data, extracts key metadata, and forwards this information to the Cequence UAP API Edge endpoint for security analysis. This process occurs asynchronously, ensuring no impact on the actual API transaction performance.

Traffic flow architecture

The integration operates through the following data flow sequence.

apigee-flow.png

  1. Client sends an API request to the Apigee API ProxyEndpoint.
  2. The cequence-sharedflow-pre-proxy component in PreFlow captures and saves key request data and metadata. Request flow continues through Apigee policies.
  3. Apigee delivers the request to the API backend server.
  4. API backend server processes the request and responds.
  5. The cequence-sharedflow-post-target-unified component in PostFlow captures key response data and metadata. This shared flow makes an asynchronous call to the dedicated cequence-api-proxy, which invokes cequence-api-sharedflow to authenticate and post the combined transaction data to your Cequence UAP tenant endpoint.
  6. Apigee continues the response back to the client.

Integration components

The integration consists of three shared flow bundles and one API proxy.

  • cequence-sharedflow-pre-proxy: Captures request data at the ProxyEndpoint PreFlow stage
  • cequence-sharedflow-post-target-unified: Captures response data at the TargetEndpoint PostFlow stage and initiates the asynchronous call to Cequence
  • cequence-api-sharedflow: Handles authentication token management and posts transaction data to Cequence UAP
  • cequence-api-proxy: Dedicated API proxy that bridges the shared flows to the Cequence API endpoint

What the integration achieves

The integration provides comprehensive API transaction visibility to the Cequence UAP platform. The platform receives detailed request and response metadata for every API transaction processed through the configured Apigee environment. This data enables Cequence UAP to perform security analysis, detect anomalies, identify threats, and provide protection recommendations without impacting API performance.

Known limitations and effects on performance

The integration processes all API traffic in the configured environment by default. For selective API monitoring, you must configure FlowCallout policies individually for each API proxy instead of using global flow hooks. The asynchronous nature of the integration minimizes performance impact, but the additional processing adds minimal latency to each transaction.

Before you start

Confirm that your environment meets these requirements.

  • Apigee Hybrid instance deployed and operational
  • Google Cloud Platform project with appropriate permissions
  • Network connectivity between Apigee and Cequence UAP endpoints
  • HTTPS ports (443) open for outbound connections to Cequence UAP

What you'll need

Confirm that you've installed the required tools, have the required privilege levels, and know the Cequence configuration details.

Required tools

Install and configure these command-line tools.

  • apigeecli: Apigee command-line interface tool
  • gcloud: Google Cloud SDK command-line tool
  • jq: JSON processor for command-line operations
  • curl: HTTP client for testing API endpoints

Authenticate with Google Cloud before proceeding: gcloud auth login

Access and privileges

  • Administrator access to your Apigee Hybrid instance
  • Permission to create and deploy shared flows and API proxies
  • Access to configure environment flow hooks
  • Credentials for your Cequence UAP tenant

Cequence configuration details

Obtain these details from your Cequence Customer Success team.

  • Traffic ingestion endpoint: Usually formatted as https://edge.{cequence-provided-domain}/api-transactions
  • Authentication endpoint: Usually formatted as https://auth.{cequence-provided-domain}/auth/realms/cequence/protocol/openid-connect/token
  • API client credentials: Client ID and Client Secret created through the Cequence Security Unified Dashboard

Items to download

Download the Cequence shared flow bundle. The bundle includes these files.

  • cequence-sharedflow-pre-proxy.zip
  • cequence-sharedflow-post-target-unified.zip
  • cequence-api-sharedflow.zip
  • cequence-api-proxy.zip

Integration installation methods

To install the Apigee X/Hybrid integration, perform the following procedures in the order listed.

Import shared flow bundles

Upload each shared flow bundle to your Apigee Hybrid environment.

  1. From the Apigee console, navigate to Overview > Proxy Development > Shared Flows.
  2. Click +Upload Bundle in the upper right corner.
  3. Click Browse and select the first bundle file.
  4. Click Create to complete the upload.
  5. Repeat steps 2-4 for each of the three shared flow bundles.
  6. For each uploaded shared flow, click the flow name, then click Deploy.
  7. Select the revision and environment, then click Deploy.

Configure authentication credentials

Set up the Cequence authentication in the cequence-api-sharedflow bundle.

  1. From the Apigee console, navigate to Shared Flows and open cequence-api-sharedflow.
  2. Switch to the Develop tab.
  3. Click default under Shared Flows.
  4. Click the GetAccessToken policy to open the editor.
  5. In the XML editor, update these values:
    • Set client_id to your Cequence API client ID
    • Set client_secret to your Cequence API client secret
    • Set the URL in <HTTPTargetConnection> to your Cequence authentication endpoint
  6. Save your changes.

Configure the ingestion endpoint

Set up the Cequence traffic ingestion endpoint.

  1. From the Apigee console, navigate to Shared Flows and open cequence-api-sharedflow.
  2. Switch to the Develop tab.
  3. Click the SendRequestResponse policy.
  4. In the XML editor, update the URL in <HTTPTargetConnection> to your Cequence traffic ingestion endpoint.
  5. Save your changes.

Configure token caching

Adjust the authentication token cache timeout to match your Cequence configuration.

  1. In the cequence-api-sharedflow Develop view, click the PopulateCacheStoreToken policy.
  2. Update the <TimeoutInSec> value from 1800 to match your authentication token time-to-live (TTL).
  3. Save your changes.

Configure the API proxy endpoint

Set up the internal API proxy connection.

  1. Navigate to Shared Flows and open cequence-sharedflow-post-target-unified.
  2. Switch to the Develop tab and click default.
  3. Click the CallCequenceAPIProxy policy.
  4. In the XML editor, update the URL in <HTTPTargetConnection> to your Apigee environment's cequence-api-proxy endpoint. The URL should end with /cequence-api-request.
  5. Save your changes.

Example policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="false" continueOnError="true" enabled="true" name="CallCequenceAPIProxy">
  <DisplayName>CallCequenceAPIProxy</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="notificationRequest">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Set>
      <Headers>
        <Header name="cq-auth-cap">cequence</Header>
      </Headers>
      <Payload contentType="application/json">{notificationRequestPayload}</Payload>
      <Verb>POST</Verb>
    </Set>
  </Request>
  <HTTPTargetConnection>
    <!--Add the Cequence API Proxy Endpoint deployed in APIGEE-->
    <!--Should end with /cequence-api-request-->
    <URL>https://34.102.133.99.nip.io/cequence-api-request</URL>
    <SSLInfo>
      <Enabled>true</Enabled>
      <!-- Set ignore validation to true if you are using self-signed certificates-->
      <!-- Default is to validate certificates-->
      <IgnoreValidationErrors>true</IgnoreValidationErrors>
    </SSLInfo>
  </HTTPTargetConnection>
</ServiceCallout>

Deploy the cequence-api-proxy

Create and deploy the dedicated Cequence API proxy.

  1. From the Apigee console, navigate to Overview > Proxy Development > API Proxies.
  2. Click +Upload Bundle.
  3. Select the cequence-api-proxy.zip file.
  4. Create and deploy the proxy to your chosen environment.

Enabling the integration globally

Configure flow hooks to enable the integration for all APIs in an environment.

  1. From the Apigee console, navigate to Overview > Management Environments.
  2. Click your target environment name.
  3. Navigate to the FlowHook tab.
  4. From the Pre-proxy dropdown, select cequence-sharedflow-pre-proxy.
  5. From the Post-target dropdown, select cequence-sharedflow-post-target-unified.
  6. Click SAVE.

The integration now processes all API traffic in this environment.

Enabling the integration for an individual API

For selective API monitoring, use FlowCallout policies instead of global flow hooks.

  1. From the Apigee console, open the specific API proxy you want to monitor.
  2. Switch to the Develop tab.
  3. Add a FlowCallout policy for cequence-sharedflow-pre-proxy as the first policy in the request flow of PreFlow at the Proxy Endpoint.
  4. Add a FlowCallout policy for cequence-sharedflow-post-target-unified as the first policy in the response flow of PostFlow at the Target Endpoint.
  5. Save and deploy your changes.

Disabling the integration

You can temporarily disable the integration without removing it.

  1. From the Apigee console, navigate to Overview > Management Environments.
  2. Click your environment name.
  3. Navigate to the FlowHook tab.
  4. Set both Pre-proxy and Post-target dropdowns to None.
  5. Click SAVE.

Removing the integration

This procedure completely removes the integration from your environment.

  1. Disable the integration using the steps above.
  2. From the Apigee console, navigate to each shared flow and API proxy.
  3. Undeploy each component from all environments.
  4. Delete the shared flows and API proxy if no longer needed.

Check your work

Verify in Apigee

Test the integration using Apigee's debug tools.

  1. Create or use an existing echo API proxy for testing.
  2. Open the proxy and start a Debug session.
  3. Copy the debug URL.
  4. Send a test request to the URL using curl or Postman.
  5. In the Apigee debug trace, verify that both Cequence shared flows execute successfully.

Verify in Google Cloud logs

Check the integration logs in Google Cloud Platform.

  1. From the Google Cloud console, open Logs Explorer.
  2. Apply filters for your Apigee environment and search for Cequence-related log entries.
  3. Verify that authentication and data posting operations complete successfully.

Verify in Cequence UAP

Confirm that transaction data appears in your Cequence UAP dashboard.

  1. Log in to your Cequence UAP tenant.
  2. Navigate to the API transactions view.
  3. Verify that test transactions from your Apigee environment appear with correct metadata.
  4. Check that request and response details are properly captured.

Example GetAccessToken policy configuration

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="false" continueOnError="true" enabled="true" name="GetAccessToken">
  <DisplayName>GetAccessToken</DisplayName>
  <Properties/>
  <Request clearPayload="true" variable="tokenCalloutRequest">
    <Set>
      <FormParams>
        <FormParam name="client_id">your-client-id</FormParam>
        <FormParam name="client_secret">your-client-secret</FormParam>
        <FormParam name="grant_type">client_credentials</FormParam>
      </FormParams>
      <Verb>POST</Verb>
    </Set>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  </Request>
  <Response>tokenCalloutResponse</Response>
  <HTTPTargetConnection>
    <Properties/>
    <URL>https://auth.your-domain.com/auth/realms/cequence/protocol/openid-connect/token</URL>
    <SSLInfo>
      <Enabled>true</Enabled>
      <IgnoreValidationErrors>false</IgnoreValidationErrors>
    </SSLInfo>
  </HTTPTargetConnection>
</ServiceCallout>
Was this article helpful?
Japanese (Japan)