The MuleSoft Flex Gateway's connected mode enables a self-managed Flex Gateway instance to connect to Anypoint Platform for centralized management, configuration, and monitoring. In connected mode, the control plane maintains a persistent WebSocket connection to the Anypoint Runtime Manager (ARM) service on the self-managed instances, which enables real-time synchronization of API configurations, policies, and runtime settings from Anypoint Platform to your gateway instances.

In connected mode, Flex Gateway acts as a managed agent that automatically receives API definitions, policy configurations, and runtime updates from Anypoint Platform's API Manager, removing the need for manual configuration file management. This design enables organizations to deploy gateways in their own infrastructure — on-premises, in private clouds, or at edge locations — while maintaining centralized control and visibility through Anypoint Platform's unified interface. The gateway continuously streams operational logs, metrics, and events to Anypoint Platform's ingestion services, supporting comprehensive monitoring, troubleshooting, and analytics from a single dashboard.

Passive integration limitations

Before you begin, note the following limitations of the Cequence Unified API Protection (UAP) platform's passive integration with MuleSoft Flex Gateway.

• The Gateway log level must be equal to or higher than the Message Log policy log level. For example, when the Message Logging policy is set to INFO, set the Gateway log level to INFO as well.
• When the payload uses content-encoding, Flex Gateway cannot log the payload. As a result, the Cequence API Proxy receives a blank body when processing the payload metadata.
• The Cequence Proxy App collects, stitches the client-server transaction data, and posts the metadata to UAP on a schedule (defaults to 60 seconds) to reduce resource requirements. Users should expect delays of up to 60 seconds in viewing the transactions in Cequence UAP dashboards.
• The Mulesoft Fle Gateway connected-mode integration is currently supported only for Docker and EKS deployments.

Passive integration flow

The following steps describe the end-to-end flow for passive integration between Flex Gateway and the Cequence UAP platform.

1. A client sends a request to the upstream service; Flex Gateway receives the request.
2. Flex Gateway forwards the request to the upstream service.
3. The upstream service returns a response. The message logging policy, which is configured per API and runs on the gateway, captures both the request and the response.
4. The downstream client receives the response from the upstream service.
5. The Cequence Proxy App on CloudHub 2.0 runs on a 60-second cron schedule. The proxy app pulls logs from Anypoint Monitoring, correlates requests with responses, authenticates using OAuth, and sends the assembled transaction data to the Cequence UAP platform. Anypoint Monitoring stores access logs that the policy produces, up to 30 KB per log entry.
6. Cequence Edge or Bridge receives and processes the API transaction data and makes it available in the Cequence UAP platform.

Prerequisites

Before you begin, ensure the following software versions and resources are available.

• MuleSoft Flex Gateway version 1.11.4
• Cequence policy bundle version 1.0.0
• Cequence client ID and client secret
• Anypoint client ID and client secret
• MuleSoft environment ID and organization ID

Log level reference

The following log levels are available for the cequence_log_level property.

• WARN — logs failure events only. This is the recommended setting for production setup.
• INFO — logs informational events in addition to failures.
• DEBUG — logs detailed diagnostic output. 

After setting cequence_log_level, enable the corresponding level in the Anypoint dashboard to view logs at that level.

Generate a Cequence client ID and client secret

Several Cequence components must authenticate to the Cequence UAP platform to transmit and receive data. The following procedure creates the authentication credentials those components require.

1. Log in to the Cequence UAP management portal. The URL has the form https://ui.your-tenant-name.domain.
2. Navigate to General Settings User Management. The User Management pane appears.
3. Select the Clients tab.
4. Click Add New Client. The new client dialog box appears.
5. In the Client Name field, type a name for the client. This value becomes the client ID; note it for later use.
6. Enable the Traffic Management toggle.
7. Optional: To change the token lifespan from the default 1800 seconds, enter a value in seconds in the Token Lifespan field.
8. Click Save. A dialog box displays the client secret.
9. Click the copy icon to copy the secret to the clipboard, then click Close. The client list appears.
10. Note the client secret value. For security reasons, the Cequence UAP platform does not display this value again.

Configure Anypoint monitoring permissions

The Cequence Proxy App requires an Anypoint Connected App with API Manager Environment Administrator scope to retrieve logs from Anypoint Monitoring. The following procedure creates the Connected App and assigns the required permissions. The resulting client ID and client secret are the anypoint_client_id and anypoint_client_secret values used later when deploying the proxy application.

1. Log in to Anypoint Platform, then navigate to Administration Access Management.
2. From the left sidebar, select Connected Apps.
3. In the Owned Apps list, click the name of your app — for example, MyTokenApp.
4. On the Update App page, select App acts on its own behalf (client credentials).
5. Scroll to the Scopes section and click Add Scopes.
6. In the dialog, expand API Manager, then expand and select API Manager Environment Administrator.
7. Click Next.
8. Select the checkbox next to your business group, then select the environment where your APIs are configured.
9. Click Next.
10. Verify that the summary shows the correct scope (Anypoint Monitoring Monitoring Viewer) and business group, then click Add Scopes.
11. On the Update App page, click Save changes and wait for the success notification.

Find the Anypoint environment and organization IDs

The Cequence Proxy App requires the Anypoint environment and organization IDs as configuration properties. The following procedure retrieves both values from the Anypoint Platform portal.

1. Log in to Anypoint Platform, then click the gear icon at the top right and select Access Management.
2. In the right panel, click Business group and select your organization.
3. Select the Environments tab, then choose your configured environment — for example, Sandbox, Prod, or Dev.

4. Note the environment and organization IDs from the page URL. The URL has the following structure, where the IDs appear as path segments:

   Organisation ID = 6c40ac71-1234-abcd-yyyy-xxxxxxx
   Environment ID  = b1ecea75-1234-abcd-yyyy-xxxxxxx

Create the Cequence Proxy App

The Cequence Proxy App runs on CloudHub 2.0 and is responsible for pulling logs from Anypoint Monitoring, correlating transactions, and forwarding data to the Cequence UAP platform. The following procedure deploys and configures the proxy application.

1. Download the Cequence bundle as described in the prerequisites.

2. Extract the archive:

   tar xvzf cequence-self-connected-flexgateway-passive.tar.gz

   The mulesoft_flexgateway_connected_mode_cequence_plugin directory contains cequence-api-proxy-1.0.0-mule-application.jar, a Script folder, and a readme.md file.

3. Log in to MuleSoft Anypoint Platform, then navigate to Runtimes > Runtime Manager.
4. Navigate to Applications > Deploy Application and select CloudHub 2.0 as the deployment target.
5. Enter a name for the application — for example, cequence-api-proxy — then select the cequence-api-proxy-1.0.0-mule-application.jar file to upload.

6. In the properties section, switch to Text View and paste the following configuration block, substituting values as described in the table that follows:

   cequence_transactions_endpoint_url=https://<edge-or-bridge-fqdn>/api-transactions
   cequence_client_id=<cequence-client-id>
   cequence_client_secret=<cequence-client-secret>
   cequence_auth_endpoint_url=https://<auth-fqdn>/auth/realms/<realm>/protocol/openid-connect/token
   cequence_log_level=WARN
   send_to_uap=true
   apis_to_include=all
   anypoint_client_id=<anypoint-client-id>
   anypoint_client_secret=<anypoint-client-secret>
   environment=<anypoint-environment-id>
   organization=<anypoint-organization-id>

   Property	Description
   cequence_transactions_endpoint_url	Fully qualified URL of the Cequence Edge or Bridge transactions endpoint.
   cequence_client_id	The Client ID generated earlier.
   cequence_client_secret	The Client secret generated earlier.
   cequence_enable_auth	Enables authentication with the Cequence UAP platform. Default: true.
   cequence_auth_endpoint_url	Fully qualified URL of the Cequence UAP authentication endpoint.
   cequence_log_level	Log verbosity. Set to WARN for production environments.
   send_to_uap	When true, sends transactions to the Cequence UAP platform. When false, processes transactions locally only (useful for debugging).
   apis_to_include	Set to all to include all APIs, or provide a comma-separated list of API instance IDs — for example, API_instanceID1,API_instanceID2.
   anypoint_client_id	Anypoint Connected App client ID.
   anypoint_client_secret	Anypoint Connected App client secret.
   environment	Anypoint environment ID.
   organization	Anypoint organization ID.

7. Click Deploy Application. The JAR file uploads and the application deploys to MuleSoft Runtime.
8. On the cequence-api-proxy application page, verify that Application Status shows Running.
9. From the left menu, select Logs to review deployment logs.

Configure the message logging policy

The message logging policy captures API request and response data that the Cequence Proxy App forwards to the Cequence UAP platform. You can configure this policy manually through the Anypoint API Manager UI, or automatically using the script included in the Cequence bundle. The automated approach is recommended for environments with multiple APIs.

Configure the policy using the automation script (recommended)

The Cequence bundle includes a script that applies or removes the message logging policy across all configured APIs. This approach is recommended when you have multiple APIs. Before you begin, ensure that curl and Python 3.x are installed, and that you have extracted the Cequence bundle as described in Create the Cequence Proxy App.

1. Navigate to the Script folder within the extracted bundle directory.

2. Copy the example environment file:

   cp .env.example .env

3. Open .env in a text editor and substitute the following values:

   anypoint_client_id="<anypoint-client-id>"
   anypoint_client_secret="<anypoint-client-secret>"
   organization="<anypoint-organization-id>"
   environment="<anypoint-environment-id>"
   base_url="https://anypoint.mulesoft.com"
   policy_label="cequence-message-log-flex-gw"

   Variable	Description
   anypoint_client_id	Anypoint client ID.
   anypoint_client_secret	Anypoint client secret.
   organization	Anypoint organization ID.
   environment	Anypoint environment ID.
   base_url	Anypoint base URL. The default value is correct for most deployments.
   policy_label	Label used to identify the policy. Change this value only when you need to distinguish between multiple policy instances.

4. Assign execute permission to the script:

   chmod +x apply-message-logging-policy.sh

5. Apply the message logging policy:

   ./apply-message-logging-policy.sh

   Wait a few seconds for the script to complete.

6. In Anypoint Platform, navigate to APIs API Manager Automated Policies and verify that the message logging policy appears in the list.

To remove the message logging policy, run the following command, then navigate to APIs API Manager Automated Policies and verify that the policy no longer appears.

./apply-message-logging-policy.sh --remove

Configure the policy manually (optional) 

The following procedure applies the message logging policy through the Anypoint API Manager UI.

1. Log in to Anypoint Platform, then navigate to APIs API Manager.
2. From the left panel, select Automated Policies.
3. Click Add Automated Policy and search for message logging.
4. Select the radio button for the message logging policy and click Next.
5. Configure each of the three separate logging configurations as described in the tables below, then save the policy.

Configuration 1 — Request headers

Configuration 2 — Request headers and body

#[ "Request LOG | reqId=" ++ (vars.reqId default 'NO_REQID')
   ++ " | Content-Type=" ++ (attributes.headers['Content-Type'] default 'NO_CTYPE')
   ++ " | User-Agent=" ++ (attributes.headers['User-Agent'] default 'NO_UA')
   ++ " | Host=" ++ (attributes.headers['Host'] default 'NO_HOST')
   ++ " | Authorization=" ++ (attributes.headers['Authorization'] default 'NO_AUTH')
   ++ " | payload=" ++ (payload default 'NO_PAYLOAD') ]

Configuration 3 — Response full

#[ "Response LOG | reqId=" ++ (vars.reqId default 'NO_REQID')
++ " | Content-Type=" ++ (attributes.headers['content-type'] default 'NO_CTYPE')
++ " | Content-Length=" ++ (attributes.headers['content-length'] default 'NO_CLEN')
++ " | Content-Encoding=" ++ (attributes.headers['content-encoding'] default 'NO_CENC')
++ " | Transfer-Encoding=" ++ (attributes.headers['transfer-encoding'] default 'NO_TE')
++ " | Server=" ++ (attributes.headers['server'] default 'NO_SERVER')
++ " | Date=" ++ (attributes.headers['date'] default 'NO_DATE')
++ " | Accept=" ++ (attributes.headers['accept'] default 'NO_ACCEPT')
++ " | X-Forwarded-For=" ++ (attributes.headers['x-forwarded-for'] default 'NO_XFF')
++ " | X-Request-Id=" ++ (attributes.headers['x-request-id'] default 'NO_XRID')
++ " | User-Agent=" ++ (attributes.headers['user-agent'] default 'NO_UA')
++ " | Host=" ++ (attributes.headers['host'] default 'NO_HOST')
++ " | Authorization=" ++ (attributes.headers['authorization'] default 'NO_AUTH')
++ " | payload=" ++ (payload default 'NO_PAYLOAD') ]

Test the integration

After deploying the proxy application and configuring the message logging policy, send test traffic through Flex Gateway and verify that transactions appear in the Cequence UAP platform.

1. Note the base path of the API you configured and the port number used in your Docker or EKS deployment (the default Docker port is 8081).

2. Send a request to the gateway:

   http://localhost:8081/<basepath>/<uri>

   For example:

   http://localhost:8081/echo/get

3. Monitor the Cequence Proxy App logs and the message logs in the Anypoint Platform for any errors.
4. Check the Cequence UAP Discovery dashboard to see the endpoint accessed. There will be a delay of up to 60 seconds before the events appear in the UAP dashboards due to the scheduler architecture of the passive integration.

Disable the integration

To disable passive integration, remove the message logging policy from all APIs. From the MuleSoft Anypoint portal, navigate to API Manager Automated Policies, open the three-dot menu on the Message Logging policy row, and select Remove Policy.

Uninstall the Cequence Proxy App

To uninstall the Cequence API Proxy, navigate to the Runtime Manager section of the MuleSoft Anypoint portal. Select the cequence-proxy-app application, then select Delete from the drop-down menu at the top right of the page.

Troubleshooting

For log monitoring, navigate to the Anypoint Monitoring CloudHub settings page. You can also set the cequence_log_level variable in the Cequence Proxy App to DEBUG to gather detailed diagnostic events to identify issues with the integration.

https://anypoint.mulesoft.com/monitoring/#/settings/cloudhub