The Cequence Unified API Protection platform and Akamai
The Akamai content delivery network (CDN) integrates with the Cequence Unified API Protection (UAP) platform to prevent account takeovers, API-based business logic abuse, and to analyze API transactions.
The Cequence UAP platform uses an ML-based approach to eliminate avenues of fraud caused by automated attacks targeted at web, mobile and API based applications. This document focuses on the SaaS based Cequence UAP solution which significantly reduces deployment overhead. On-premises Cequence UAP solutions are also available.
Traffic flow without Cequence UAP
Traffic flow with Cequence UAP - Inline Upstream Deployment
Traffic flow with Cequence UAP - Inline Hairpin Deployment
The steps required to integrate Cequence UAP with Akamai are relatively straightforward. All traffic that terminates on Akamai will be routed to Cequence UAP first for inspection and then forwarded to the application origin (Inline Upstream deployment) or forwarded back to Akamai from where it will be routed to the application origin (Inline Hairpin Deployment).
Step 1: Configure Application Availability
Application availability must be ensured with the addition of Cequence UAP to the traffic flow between Akamai and Application Origin.
In the rare event where Cequence UAP becomes unavailable (determined via a health check), a fail-open must kick in and all application traffic from Akamai must get routed directly to the Application Origin, bypassing Cequence UAP completely.
Such a fail-open scenario can be configured with a failover routing policy configuration. To create a failover routing policy, either one of the below solutions can be leveraged:
- Akamai Traffic Manager products - Global Traffic Management (GTM) or Application Load Balancer (ALB) Cloudlet
- Cequence UAP Traffic Manager (for customers that don’t use Akamai Traffic Manager products)
The failover routing policy will create a DNS hostname that will set two CNAME records pointing at the Cequence UAP origin as the Primary, while the application origin acts as the Secondary.
This DNS hostname will be set as the origin hostname for forwarding application traffic to Cequence UAP on the Akamai configuration.
Step 2: Configure Cequence UAP Origin and Traffic Forwarding
To configure forwarding of all application traffic from Akamai to Cequence UAP, modify the Origin Server Behavior along with the respective Origin SSL configuration.
Figure 1.4 Modify the Origin Server Behavior
- Under Akamai Property Manager, select the property configuration to be modified and go to the Behaviors section of the Default Rule.
- Select Your Origin in the Origin Type field.
- In the Origin Server Hostname field, enter the DNS hostname created in Step 1
- Select Origin Hostname in the Cache Key Hostname field.
- Choose Yes in the Supports Gzip Compression field.
- Choose Yes in the Send True Client Header field depending on whether you want to send the True Client IP header that Akamai sets.
Figure 1.5 Modify the Origin SSL Configuration
- In the Verification Settings field of the Origin SSL Certificate Verification section.
- Select Choose Your Own (Recommended) in the Verification Setting field of the Origin SSL Certificate Verification section.
- Select Satisfies any of the trust options below in the Trust field.
- Enable Akamai Certificate Store and Third Party Certificate Store in the Akamai-managed Certificate Authority Sets field. This represents Akamai’s collection of trusted root certificates.
- [Optional] Add the certificates to the Custom Certificate Authority Set section and the Specific Certificates (pinning) section only if there is a need to pin either the intermediate or the leaf certificates.
Step 2: Configure Cequence UAP Origin and Traffic Forwarding - Loopback
To configure forwarding of all application traffic from Akamai to Cequence UAP, add the Origin Server Behavior along with the respective Origin SSL configuration.
Please note that in the case of Loopback traffic flow, the existing Application Origin configuration does not need to get modified. However, a conditional will need to be added to forward traffic to the application origin (see section Pre-Shared Key below); since all application traffic is forwarded to Cequence ASP, by default.
Figure 1.6 Add the Origin Server Behavior
- Under Akamai Property Manager, select the property configuration to be modified and go to the Behaviors section of the Default Rule.
- Select Your Origin in the Origin Type field.
- In the Origin Server Hostname field, enter the DNS hostname created in Step 1
- Select Origin Hostname in the Cache Key Hostname field.
- Choose Yes in the Supports Gzip Compression field.
- Choose Yes in the Send True Client Header field depending on whether you want to send the True Client IP header that Akamai sets.
Figure 1.7 Add the Origin SSL Configuration
- In the Verification Settings field of the Origin SSL Certificate Verification section.
- Select Choose Your Own (Recommended) in the Verification Setting field of the Origin SSL Certificate Verification section.
- Select Satisfies any of the trust options below in the Trust field.
- Enable Akamai Certificate Store and Third Party Certificate Store in the Akamai-managed Certificate Authority Sets field. This represents Akamai’s collection of trusted root certificates.
- [Optional] Add the certificates to the Custom Certificate Authority Set section and the Specific Certificates (pinning) section only if there is a need to pin either the intermediate or the leaf certificates.
Pre-Shared Key Configuration
- As shown in the loopback architecture traffic flow diagram (option 2 on page 2), Akamai forwards all application traffic to Cequence UAP, by default.
- Cequence UAP then adds a pre-shared key in a specialized request header to all the application traffic it processes and forwards to Akamai.
- When this traffic hits Akamai again, placing a match on the presence of the pre-shared key in the specialized request header, Akamai makes the determination to no longer forward traffic to Cequence UAP, and instead forwards it to the application origin.