The Cequence Unified API Protection platform and Amazon CloudFront
Amazon CloudFront, the AWS programmable content delivery network integrates with the Cequence Unified API Protection (UAP) platform to prevent account takeovers, API-based business logic abuse, and to analyze API transactions.
The Cequence UAP platform uses an ML-based approach to eliminate avenues of fraud caused by automated attacks targeted at web, mobile and API based applications. This document focuses on the SaaS based Cequence UAP solution which significantly reduces deployment overhead. On-premises Cequence UAP solutions are also available.
Traffic Flow without Cequence UAP
Traffic Flow with Cequence UAP
The steps required to integrate Cequence UAP with Amazon CloudFront are straightforward. Selected traffic that terminates on Amazon CloudFront will be routed to Cequence UAP for inspection before it is forwarded to the application origin.
Step 1: Configure Application Availability
Application availability must be ensured with the addition of Cequence UAP to the traffic flow between Amazon CloudFront and application origin where the customer application is deployed.
In the rare event where Cequence UAP becomes unavailable (determined via a health check), a fail-open must kick in and all application traffic from Amazon CloudFront must get routed directly to the application origin, bypassing Cequence UAP completely. Such a fail-open scenario can be configured with a failover routing policy configuration using Amazon Route53.
For illustration, let's assume the hostnames below:
- Application Hostname: www.cq-route.com
- Application Origin Hostname: origin-www.cq-route.com
- Cequence UAP Hostname: cq-route.cequence.cloud
The snapshots below show an Amazon Route 53 failover routing policy example, where the DNS record/hostname of cq-origin-www.cq-route.com is pointing at two CNAME records:
-
Cequence UAP: cq-route.cequence.cloud (set as Primary):
2. Application Origin: origin-www.cq-route.com (set as Secondary)
Finally, on the Route53 Records page:
The DNS record/hostname of cq-origin-www.cq-route.com will be now set as the origin hostname on the Amazon CloudFront configuration for forwarding traffic to Cequence UAP.
Step 2: Configure Cequence UAP Origin
In this step, configure Cequence UAP as a new origin:
Application origin configured with an existing Amazon CloudFront distribution
Next, go to Origins > Create Origin and see image below for reference to set up configuration for Cequence UAP origin.
Step 3: Configure Traffic Forwarding to Cequence UAP
To set up forwarding of all application traffic to Cequence UAP origin configured in the previous step, set Cequence UAP as the default origin.
- Go to Behaviors and select the Origin with the Path Pattern of Default (*)
Behaviors tab showing Default Path Pattern
- Click Edit to update the default behavior settings
- Select Cequence Origin in the Origin and origin groups to make the change.
Behaviors tab after setting Cequence Origin for Default Path Pattern
At this point, all configuration changes are completed. Once deployed, the Cloudfront distribution will be ready to forward all traffic to Cequence UAP by default.
Notes:
- As per Cloudfront documentation, to ensure SSL/TLS connectivity between Cloudfront and Cequence UAP Origin, Cequence Team will work with the customer to deploy customer provided SSL/TLS certificate on Cequence.
- Using Route53 is not mandatory for traffic management here. A different DNS based load balancing solution that offers healthchecks and failover-based routing capability can also be leveraged.