You can integrate the Cequence Unified API Protection (UAP) platform with an Azure API Management (APIM) environment in several ways depending on the desired outcome and goals.
This article discusses setting up the integration in passive mode, where the integration captures and forwards traffic to the ingestion API of the Cequence UAP platform for analysis. In this mode, the Cequence UAP platform provides bot detection and API traffic analysis, including sensitive data exposure and potential OWASP API issues.
This diagram shows traffic flow throughout your environment.
- An Azure APIM receives the request
- The plugin captures the request metadata .
- Request is send over to upstream applications
- APIM Receives the response from Upstream
- The plugin captures the response metadata
- Azure APIM gives the response back to the clients.
- The Azure Global policy plugin asynchronously sends copies of the captured transactions to the Cequence Bridge.
- The cequence bridge then sends it to the UAP platform's traffic ingestion API.
Once ingested, the Cequence UAP platform analyzes the transactions.
Before you start
Make sure that your Azure environment meets the following requirements before you start to deploy this integration.
- Azure CLI installed and configured
- The jq command-line JSON processor installed
- Python 3.x installed
What you'll need
You'll need the following items to install this integration.
- Access to an Azure Service Principal with Contributor permissions on each subscription where you plan to install this integration. A separate article discusses setting up this service principal.
- The XML policy files to deploy.
- The Azure Tenant ID, the Subscription ID, the Service Principal client ID and the Service Principal client Secret.
- Generate a client ID and client secret from the Cequence UAP platform.
- Cequence Bridge deployed closer to the deployed apis/application
Note: Cequence Bridge uses the same authentication method as API Edge. If your deployment uses Cequence Bridge, you can use the Cequence Bridge URL in any step of this procedure that refers to the API Edge URL. Configuration of traffic filtering and sensitive data masking for the Cequence Bridge is discussed in a separate article.
Generating the client ID and client secret
Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.
- Log in to the UAP management portal UI.
The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name. - Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
This name is the client ID. Note the client ID for later use. - Enable the Traffic Management toggle.
- (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Items to download
Download the compressed archive file of the integration.
Integration installation methods
You can install the Azure APIM integration using scripts to automate the process. Alternatively, you can install the Azure APIM integration by modifying values directly on the Azure Portal. Each approach is discussed in a separate section.
Installing the Azure APIM integration using Automation
You can automate the installation of the Azure APIM integration by using scripts that Cequence provides. This section lists the procedures for each step of the process.
Extract the compressed archive file
From a terminal in Azure, run the following command to extract the compressed archive file.
tar -xvzf cequence-apim-1.1.0.xxxxx.tar.gz
Configure the environment variables
- Navigate to the cequence-apim/config directory.
- Make a copy of the template config-example.jsonc file. Name the copy config.jsonc.
-
In a text editor, open config.jsonc and type the following values.
Variable Data type Description cequenceConfig.useAuth Boolean When you're using an authenticated policy, set this value to true. For no-authentication policies, set this value to false. cequenceConfig.edgeUrl String The integration sends transactions to this endpoint. The default value of this endpoint is /api-transaction. Specify your Cequence host URL here. cequenceConfig.authUrl String The authentication URL. When cequenceConfig.useAuth is set to false, omit this value. cequenceConfig.clientId String The Client ID used to authenticate. When cequenceConfig.useAuth is set to false, omit this value. cequenceConfig.clientSecret String The client Secret used to authenticate. When cequenceConfig.useAuth is set to false, omit this value. cequenceConfig.logLevel String Sets the logging level. Legal values are INFO or DEBUG. azureConfig.tenantId String ID of the tenant where the Plugin needs to be enabled azureConfig.servicePrincipalId String The Service Principal client ID used to authenticate to the subscription. azureConfig.servicePrincipalSecret String The Service Principal secret used to authenticate to the subscription. A full sample JSONC file is available at the end of this article.
The environment is ready for the scripts.
Set permissions for the scripts
- Navigate to the cequence-apim/bin directory.
- Set executable permission for the scripts in this directory with the following command.
chmod +x *.sh
The scripts are ready to run.
Enable the integration
To enable the integration, run the script from the cequence-apim/bin directory.
./enable_apim_integration.sh
This script deploys the Azure APIM policy to the subscription specified in the cequence-apim/config/config.jsonc file.
Check your work
Generate traffic on the modified APIs and confirm that the activity appears correctly on the Dashboard of the Cequence UAP platform.
Disable the integration
To disable the integration, run this script from the cequence-apim/bin directory.
./disable_apim_integration.sh
Disabling the integration resets the Global Policy to its default state, replacing the current policy structure with the default <inbound>, <outbound>, <on-error>, and <backend> tags.
Disabling the integration doesn't require you to change any environment variables.
Disabling the integration resets policies on the Azure APIM resources specified in the config.jsonc file to the default policy.
Example config.jsonc file
{
"cequenceConfig": {
"useAuth": true, // true if we want to pass access token to edge
"edgeUrl": "https://edge.org.cequence.ai",
"authUrl": "https://auth.org.cequence.ai/auth/realms/org-realm/protocol/openid-connect/token", // Specify if useAuth is true
"clientId": "abcde", // Specify if useAuth is true
"clientSecret": "xxxxxx", // Specify if useAuth is true
"logLevel": "INFO" // Supported values INFO or DEBUG for troubleshooting purposes
},
"azureConfig":
{
"tenantId": "xx-xxdd-dddx-xddx-xxx",
"servicePrincipalId": "your-sp-id",
"servicePrincipalSecret": "your-sp-secret"
}
} Installation Using Azure Portal
Global Plugin Enablement
You can choose to install the Azure APIM integration manually by configuring a resource from the Azure portal.
- Navigate to the Azure Portal at https://portal.azure.com.
- In the top search bar, type "API Management services".
- Navigate to Your API Management (APIM) Resource.
- Select your APIM instance from the list.
- In the left-hand menu, under APIs, click Named values.
The Named Values page appears. - Click + Add.
-
Create the following named values.
Name Value Notes api-version 1.0.0 Used to version your API ceq-ingress-url <your-edge-endpoint> Replace with your Cequence Edge/Bridge endpoint domain without any URI path or suffixes.
When Policy Auth Type is enabled, also create the following named values.
Name Value Notes ceq-token-endpoint <your-token-endpoint> OAuth2 token endpoint URL
Eg:-https://auth.org.cequence.ai/auth/realms/cequence/protocol/openid-connect/tokenceq-client-id <your-client-id> Client ID from your Cequence UAP platform ceq-client-secret <your-client-secret> Client secret from your Cequence UAP platform - In the left-hand menu, click APIs.
- At the top, click All APIs.
- From the toolbar, select Policies.
- In the Backend policy field, add the Cequence global policy XML file.
The policy file iscequence-apim/policies/policy-all-apis.xml. - Click Save.
Enabling API Plugins Individually
- Navigate to the Azure Portal at https://portal.azure.com.
- In the top search bar, type "API Management services".
- Navigate to Your API Management (APIM) Resource.
- Select your APIM instance from the list.
- In the left-hand menu, under APIs, click Named values.
The Named Values page appears. - Click + Add.
-
Create the following named values.
Name Value Notes api-version 1.0.0 Used to version your API ceq-ingress-url <your-edge-endpoint> Replace with your Cequence Edge/Bridge endpoint domain without any URI path or suffixes.
When Policy Auth Type is enabled, also create the following named values.
Name Value Notes ceq-token-endpoint <your-token-endpoint> OAuth2 token endpoint URL
Eg:-https://auth.org.cequence.ai/auth/realms/cequence/protocol/openid-connect/tokenceq-client-id <your-client-id> Client ID from your Cequence UAP platform ceq-client-secret <your-client-secret> Client secret from your Cequence UAP platform - In the left-hand menu, click APIs.
- At the top, click an API.
- From the toolbar, select Policies.
- When no policy exists for the selected API, in the Backend policy field, add the Cequence global policy XML file. The policy file is
cequence-apim/policies/policy-all-apis.xml. - When a policy already exists, copy and paste the
<inbound> </inbound>section ofcequence-apim/policies/policy-all-apis.xmlinto the First position of the existing policy in order to capture unmodified request metadata. - When a policy already exists, copy and paste the
<outbound> </outbound>section ofcequence-apim/policies/policy-all-apis.xmlinto the Last position of the existing policy in order to capture unmodified response metadata. - Click Save.
Check your work
Generate traffic on the modified APIs and confirm that the activity appears correctly on the Dashboard of the Cequence UAP platform.
Setting up Azure Service Principal
The Service Principal should have "Contributor" access to the Subscriptions scope where the Policy Deployment is Intended
To create a service principal, please follow the steps below:
- Login to Azure Portal
- Navigate to the Azure Active Directory(Microsoft Entra Id). If you do not see this, you do not have permission. The Azure Admin should be able tcreate the Service Principal for you, likely via Azure Active Directory in Azure Portal or via Microsoft Entra Application.
- To create a Service Principal,
- Since we are dealing with a single tenant, choose the "Single tenant" option when creating the Service Principal during app registration.
- Click on "App Registrations"
- Click on "New Registration"
- Fill in the required fields and create the Service Principal.
Click on "Certificates & Secrets", then choose the option to create a new client secret. You may optionally provide a description, but setting an expiration date is mandatory for your Service Principal secret.
- Grab the Client ID and Client Secret (Value) and store it securely to use it in our config.jsonc
Service Principals are One to Many in nature. That means, one Service Principal can have access to multiple subscriptions.