The Cequence Unified API Protection platform and Fastly
The Fastly content delivery network (CDN) integrates with the Cequence Unified API Protection (UAP) platform to prevent account takeovers, API-based business logic abuse, and to analyze API transactions.
The Cequence UAP platform uses an ML-based approach to eliminate avenues of fraud caused by automated attacks targeted at web, mobile and API based applications. This document focuses on the SaaS based Cequence UAP solution which significantly reduces deployment overhead. On-premises Cequence UAP solutions are also available.
Traffic flow without Cequence UAP
Traffic flow with Cequence UAP - Inline Upstream Deployment
Traffic flow with Cequence UAP - Inline Hairpin Deployment
The steps required to integrate Cequence UAP with Fastly are relatively straightforward. All traffic that terminates on Fastly will be routed to Cequence UAP first for inspection and then forwarded to the application origin (Inline Upstream deployment) or forwarded back to Fastly from where it will be routed to the application origin (Inline Hairpin Deployment).
Step 1: Configure Cequence UAP Origin
The configuration of Cequence UAP origin and forwarding traffic to it will be explained using an example scenario.
For illustration, let's assume the hostnames below:
- Application Hostname: www.cq-route.com
- Application Origin Hostname: origin-www.cq-route.com
- Cequence UAP Hostname: cq-route.cequence.cloud
Figure 1. Customer application origin set as the only host
Navigate to the Origins > Hosts section to add the Cequence UAP Origin on an existing Fastly configuration.
Fill out the Host Details as shown below and leave the other options as defaults:
Figure 2. Configure Cequence UAP origin host
The hosts, both for the customer’s Application Origin as well as for Cequence UAP Origin will be shown as below:
Figure 3. Cequence UAP origin and customer application origin hosts
Step 2: Configure Application Availability
Application availability must be ensured with the addition of Cequence UAP to the traffic flow between Fastly and Application Origin.
In the rare event where the Cequence UAP becomes unavailable (determined via a health check) a fail-open must kick in and all application traffic from Fastly must get routed directly to the Application Origin, bypassing Cequence UAP completely.
Fastly offers the capabilities to set up a fail-open configuration using health checks.
To create the health check for the Cequence UAP origin, navigate to Origins > Hosts and create a health check under the Health checks section.
Figure 4. Health checks section
The Health Check needs to have the Host header field present in order to allow Cequence UAP to forward the Health Check traffic onto the Application Origin.
In the example below, the health check traffic is sent to the URI of “/” along with the respective Host Header and a 200 response is expected in order to indicate a success.
Figure 5. Health check configuration for Cequence UAP origin
Once the Health Check configuration is created, edit the Cequence Host configuration (cq-route.cequence.cloud, in our case) and assign to it the Health Check that was created.
Figure 6. Health check configuration for Cequence UAP origin
After assignment of the Health check, the Host summary should appear as below:
Figure 7. Cequence UAP Origin Summary with Health Check Assigned
Step 3: Configure Traffic Forwarding to Cequence UAP
In the Fastly configuration, the Host that is configured without attaching any condition is treated as the Default Host for forwarding application traffic.
Since all application traffic from Fastly will first need to be forwarded to Cequence UAP, we do not attach any condition to it.
Instead, a condition will be attached to forward traffic to the customer’s Application Origin. This condition will typically be that of a health check failure to Cequence UAP in order to trigger a fail-open to the Application Origin.
To set this up, click on Attach a condition for the Customer Application Origin Host, and create the condition as shown below:
Figure 8. See Attach a condition
Create a new request condition and attach it.
The below image is indicative of the way Origin > Hosts section would appear after Cequence UAP has been configured as the Default Origin and a condition has been attached for forwarding traffic to the Application Origin.
Figure 9. Cequence UAP origin and the application origin with the fall-open condition can be seen
.