This article explains how to configure the Azure API Management (APIM) integration with the Cequence Unified API Protection (UAP) platform. It is intended for Azure administrators configuring the integration through the Azure Portal. You can enable the integration globally for all APIs or configure individual APIs separately.
Prerequisites
Before starting the configuration, ensure you have:
- Access to the Azure Portal with appropriate permissions
- The Cequence Bridge must be installed.
- Your Cequence Edge/Bridge endpoint URL
- OAuth2 credentials, needed when using Policy Auth Type, including the following values.
- Token endpoint URL
- Client ID
- Client secret
- The Cequence APIM policy XML file (
cequence-apim/policies/policy-all-apis.xml) - An Azure API Management service instance
- Network connectivity between Azure API Management and the Cequence UAP platform endpoints
Azure Service Principal setup
Policy deployment automation requires a Service Principal with Contributor access at the subscription level. See The Azure Service Principal for the full procedure, including creating the Service Principal, generating client credentials, and granting permissions.
Add the resulting Client ID and Client secret to your config.jsonc file for automated deployments. A single Service Principal can manage multiple subscriptions when granted appropriate permissions on each.
Downloading and extracting the integration files
The Cequence policy XML files are distributed as a compressed archive. Complete the following steps before you configure the named values or the policy.
- Download the Azure API Gateway integration archive from the Cequence Support Portal.
- Extract the archive to a local directory.
- Locate the policy file at
cequence-apim/policies/policy-all-apis.xml. You'll add its content to the Backend policy field in the following sections.
Global plugin configuration
Follow these steps to enable the integration for all APIs in your APIM instance.
Step 1: Configure named values
- Sign in to the Azure Portal, an external Microsoft site that may change over time.
- Search for "API Management services" in the top search bar.
- Select your APIM instance from the list.
- In the left navigation menu, under APIs, select Named values.
- Select + Add to create new named values.
- Create the following required named values:
| Name | Value | Description |
api-version |
1.0.0 |
API version identifier |
ceq-ingress-url |
<your edge endpoint> | Your Cequence Edge/Bridge endpoint domain (without URI path or suffixes) Example: https://edge.org.cequence.ai
|
When you're using Policy Auth Type authentication, create these additional named values:
| Name | Value | Description |
ceq-token-endpoint |
<your token endpoint> | OAuth2 token endpoint URL Example: https://auth.org.cequence.ai/auth/realms/cequence/protocol/openid-connect/token
|
ceq-client-id |
<your client ID> | Client ID from your Cequence UAP platform |
ceq-client-secret |
<your client secret> | Client secret from your Cequence UAP platform |
Generating the client ID and client secret
Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.
- Log in to the UAP management portal UI.
The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name. - Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
This name is the client ID. Note the client ID for later use. - Enable the Traffic Management toggle.
- (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Step 2: Apply the global policy
- In the left navigation menu, select APIs.
- Select All APIs at the top of the page.
- Select Policies from the toolbar.
- In the Backend policy section, add the content from the Cequence global policy XML file (
cequence-apim/policies/policy-all-apis.xml). - Select Save.
Individual API configuration
To enable the integration for specific APIs only, follow these steps for each API.
Step 1: Configure named values
Follow the same steps as described in the Global plugin configuration section to create the required named values.
Step 2: Apply the policy to individual APIs
- In the left navigation menu, select APIs.
- Select the specific API you want to configure.
- Select Policies from the toolbar.
- Apply the policy based on your current configuration.
The policy content required depends on whether the API already has an existing policy attached.
For APIs without existing policies
In the Backend policy section, add the complete Cequence policy XML file (cequence-apim/policies/policy-all-apis.xml).
For APIs with existing policies
To preserve your existing policies while adding Cequence integration:
- Copy the
<inbound></inbound>section fromcequence-apim/policies/policy-all-apis.xml. - Paste it at the beginning of your existing policy's inbound section to capture unmodified request metadata.
- Copy the
<outbound></outbound>section fromcequence-apim/policies/policy-all-apis.xml. - Paste it at the end of your existing policy's outbound section to capture unmodified response metadata.
After applying the policy configuration, select Save.
Verifying the configuration
To verify your configuration is working correctly:
- Generate traffic to the configured APIs.
- Access the Dashboard in your Cequence UAP platform.
- Confirm that API activity appears correctly in Live Activity.
- Confirm that detections and posture data are being collected.
Disabling the integration
Complete the following steps to temporarily disable the Cequence integration without removing the named values.
- Navigate to APIs > All APIs in your APIM instance.
- Remove the Cequence policy from the Backend policy field.
- Select Save.
Disabling the integration stops the Cequence UAP platform from receiving transaction data for the affected APIs until you re-enable the policy.
Troubleshooting
If API activity doesn't appear in the Cequence UAP dashboard:
- Verify all named values are correctly configured
- Ensure the policy XML is properly applied and confirm using Azure Diagnostics
- Check that your Cequence Edge/Bridge endpoint is accessible
- Confirm OAuth2 credentials are valid when using Policy Auth Type
- Review Azure APIM diagnostic logs for errors
- Ensure outbound internet access is enabled for the subnet where your Azure API Management service is deployed
- Verify that no network security group (NSG) or firewall rule is blocking outbound access to the Cequence URLs on port 443 (HTTPS)
- Use nslookup or dig to confirm the Cequence domains resolve correctly from your environment
- Test connectivity to the edge endpoint and the token endpoint using curl
- When traffic appears in Live Activity but not in Detection or Posture Management, verify that the traffic type is not being ignored by a filter in the Traffic Management section