Article purpose
There are two basic approaches for integrating Cequence Unified API Protection (UAP) into an Apigee proxy configuration: inline, using Cequence Defender, and passive, allowing the Apigee gateway to send transactions directly to the Cequence Unified API Edge (traffic ingestion) API endpoint. See Apigee Integration Overview for a general overview. See Apigee Integration Steps: Passive for instructions for integrating Cequence UAP in passive mode.
This article provides instructions for inline integration of the Cequence Defender to an existing Apigee Edge, Apigee X, or a hybrid Apigee installation. This article uses Apigee Edge UI for illustration. Steps in other Apigee packages are similar.
The reader should be familiar with their own existing or anticipated Apigee configuration.
Cequence - Apigee: Shared Flow Integration
In inline Integration, API traffic is routed through Cequence Defender. This type of deployment supports API Spartan based mitigation, and API Sentinel discovery and risk analysis. There are two inline integration approaches: Upstream and Hairpin.
The Cequence Customer Success Team will advise and assist with the deployment to best match your requirements.
Inline Configuration
Upstream and Hairpin flavors both rely on Apigee’s RouteRule, Conditional Target and Load Balancing features.
Inline Upstream
Inline Upstream deployment inserts Cequence UAP directly into the data flow such that requests and responses flow through Cequence UAP to/from the existing API backend (origin). Cequence UAP functions as a reverse proxy. A failover path is configured to bypass Cequence UAP if warranted and maintain connectivity to the origin.
Inline Upstream Data Flow
In Inline Upstream configurations, Cequence UAP is configured as the target backend. When Cequence UAP receives the request, it handles it internally, obtains the key information, and then forwards it to the origin server(s). If Cequence API Spartan policies are enabled, requests and responses are vetted, and, based on policy, malicious requests can be blocked or redirected. The origin API Services are configured as 'load-balance' backup, so that in the unlikely event that Cequence ASP becomes unavailable, service between the originating client and API services is maintained. The data flow is:
-
Client sends an API request to the application via the Apigee Proxy.
- Apigee Proxy forwards the request to Cequence UAP. Cequence processes the request and, based on Cequence UAP API Spartan mitigation policies, determines if the request is safe. If the request is determined to be unsafe, it blocks or redirects the request before the request reaches the application.
- Vetted API requests are delivered to the application API origin.
- The application responds back to Cequence UAP, where it is recorded and further analyzed for sensitive data.
- The response is forwarded back to the Apigee Proxy.
- The Apigee Proxy returns the response to the originating client.
Hairpin
In Inline Hairpin configurations, Cequence UAP is configured as the target backend. When Cequence UAP receives the request, it handles it internally, obtains the key information, and then forwards it back to Apigee. If Cequence API Spartan policies are enabled, requests and responses are vetted, and, based on policy, malicious requests can be blocked or redirected. The API backend services are configured as 'load-balance' backup, so that in the unlikely event that Cequence UAP becomes unavailable, service between the API client and API backend services is maintained. The data flow is:
Inline Hairpin Data Flow
- Client sends an API request to the application via the Apigee Proxy.
- Apigee Proxy forwards the request to Cequence UAP. Cequence processes the request and, based on Cequence UAP API Spartan mitigation policies if the request is determined to be unsafe, the request is blocked or redirected.
- Cequence UAP vetted requests are returned back to the Apigee Proxy.
- Apigee Proxy configured Conditional Target instructs Apigee to forward the request to the API backend.
- API Backend processes the request and responds back to Apigee Proxy.
- Apigee Proxy sends that response to Cequence.
- Cequence processes the response and returns it to Apigee Proxy.
- Apigee sends the response down to the client.
Inline Mode Integration Steps
Configuration Steps 1 - 4 are executed for both Inline Upstream and Inline Hairpin configuration. Starting with steps 5 and 6, Upstream and Hairpin steps diverge.
1. Review Existing Configuration
Start by opening the Apigee UI (https://apigee.com/edge) and navigating to Develop:: API Proxies to look at a typical application configuration. In this example, a typical pre-Cequence UAP integration configuration would look similar to the following:
In this example, the "Target Endpoint" 'default' is assigned to URL "https://www.httpbin.org" with an Apigee assigned public URL of "https://amer-api-partner53-dev.apigee.net/".
Reviewing the existing Proxy Endpoints' and Target Endpoints' XML code we see the following:
Proxy Endpoints:
Target Endpoints:
2. Create Target Servers
2.1 New target server for Cequence UAP endpoint for Cequence tenant.
This step creates a new target server configured with the Cequence UAP tenant URL for your organization. The Cequence UAP tenant URL will be similar to '<company_name>.cequence.cloud'. (This example uses the fictional tenant host URL "acmecorp.cequence.cloud". )
In the Apigee UI, navigate to Admin: Environments: Target Server and add (+ Target server). Name this new server "cequence-targetserver" (we'll refer to this name later). Enter the host name.
2.2 Create target server endpoint for origin.
Create a named target server endpoint for the origin server URL named "origin-targetserver". The result will look similar to the following:
3. Configure API Proxy to target 'cequence-targetserver'
In the Apigee UI, return to Develop: API Proxies. This step revises the API Proxy target to 'cequence-targetserver' and 'origin-targetserver' is configured as fallback.
Open the Apigee portal and select the Develop tab (on the upper right). Click the (+) next to Target Endpoints, to add a New Target Endpoint, name it "cequence-lb", select HTTP, and enter your Cequence tenant host subdomain. (E.g. "https://acme.cequence.cloud"). Complete this dialog with "Add". Example below:
4. Import Cequence Templates
Cequence provides templates for the Inline Upstream and the Inline Hairpin configurations. Import these into your Apigee tenant for reference and source copy. Download the following:
Upload each, by first navigating to Develop::API Proxies, and clicking the + Proxy action (upper right) to open the Create Proxy dialog. Select "Upload proxy bundle" and complete the upload to create a new API Proxy for each template.
For Inline Upstream, continue with step 5, Inline Upstream.
For Inline Hairpin, jump to step 6, Inline Hairpin.
5. Inline Upstream - API Proxy
5.1 Inline Upstream - Proxy Endpoints
Open a second browser to Apigee UI. Set one window open to your application API Proxy. Open the other to the imported cequence-inline-upstream-template API Proxy. Open both to the Developer tab and then the Proxy Endpoints default. The new cequence-inline-upstream-template code be similar to the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- © 2022 Cequence Security, Inc. All rights reserved. -->
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<HTTPProxyConnection>
<BasePath>/</BasePath>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
<RouteRule name="default">
<TargetEndpoint>cequence-lb</TargetEndpoint>
</RouteRule>
<Description>© 2022 Cequence Security, Inc. All rights reserved.</Description>
</ProxyEndpoint>
Modify your existing API Proxy to match the cequence-inline-upstream-template XML code. In most cases you can simply copy and paste the template code to overwrite the existing Proxy Endpoint XML. If there are previous modification you want to keep, merge contents, paying special attention to the RouteRule object. Save the modifications as a new Revision (Select "Project" and "Save as New Revision".)
5.2 Inline Upstream - Target Endpoints
We'll do the same for Target Endpoints. In each browser windows, open Target Endpoints, while staying in Develop view mode. The cequence-inline-upstream-template Target Endpoint code will look similar to the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- © 2022 Cequence Security, Inc. All rights reserved. -->
<TargetEndpoint name="cequence-lb">
<Description>© 2022 Cequence Security, Inc. All rights reserved.</Description>
<FaultRules/>
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<Flows/>
<HTTPTargetConnection>
<LoadBalancer>
<Algorithm>RoundRobin</Algorithm>
<Server name="cequence-targetserver"/>
<Server name="origin-targetserver">
<IsFallback>true</IsFallback>
</Server>
<MaxFailures>1</MaxFailures>
</LoadBalancer>
<HealthMonitor>
<IsEnabled>true</IsEnabled>
<IntervalInSec>60</IntervalInSec>
<HTTPMonitor>
<Request>
<Verb>GET</Verb>
<Path>/.stealth-check</Path>
</Request>
<SuccessResponse>
<ResponseCode>200</ResponseCode>
</SuccessResponse>
</HTTPMonitor>
</HealthMonitor>
</HTTPTargetConnection>
</TargetEndpoint>
Copy or merge this source code into your Apigee application proxy Target Endpoint code. Preserve the LoadBalancer and HealthMonitor sections. Save the modifications as a new revision.
Jump ahead to step 7, Deployment.
6. Inline Hairpin - API Proxy
The Hairpin integratio approach requires a shared secret key which will be provided by Cequence Customer Success. This key is part of an injected header added to each message before forwarding. It is used as one part of securing the exchange between the Apigee Proxy and Cequence UAP SaaS.
6.1 Inline Hairpin - Proxy Endpoints
Open a second browser to Apigee UI. Set one window open to your application API Proxy. Navigate in the other to the newly imported cequence-inline-hairpin-template API Proxy. Open both to the Developer tab and then the Proxy Endpoints default. The new cequence-inline-hairpin-template code will be similar to the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- © 2022 Cequence Security, Inc. All rights reserved. -->
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<Flows/>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<HTTPProxyConnection>
<BasePath>/</BasePath>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
<RouteRule name="RouteToOrigin">
<Condition>request.header.cq-select = "SECRET_SHARED_KEY"</Condition>
<TargetEndpoint>origin</TargetEndpoint>
</RouteRule>
<RouteRule name="default">
<TargetEndpoint>cequence-lb</TargetEndpoint>
</RouteRule>
</ProxyEndpoint>
Modify your existing API Proxy to match the cequence-inline-hairpin-template XML code. Usually you can simply copy and paste from the template to your proxy. If there are already modifications from the default XML then carefully merge into your existing code.
Replace "SECRET_SHARED_KEY" with the secret key provided to you by Cequence Customer Success.
Save the modifications as a new Revision (Select "Project" and "Save as New Revision".)
6.2 Inline Hairpin - Target Endpoints
We'll do the same for Target Endpoints. In each browser windows, open Target Endpoints, while staying in Develop view mode. The cequence-inline-upstream-template Target Endpoint code will look similar to the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- © 2022 Cequence Security, Inc. All rights reserved. -->
<TargetEndpoint name="cequence-lb">
<Description>© 2022 Cequence Security, Inc. All rights reserved.</Description>
<FaultRules/>
<PreFlow name="PreFlow">
<Request/>
<Response/>
</PreFlow>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<Flows/>
<HTTPTargetConnection>
<LoadBalancer>
<Algorithm>RoundRobin</Algorithm>
<Server name="cequence-targetserver"/>
<Server name="origin-targetserver">
<IsFallback>true</IsFallback>
</Server>
<MaxFailures>1</MaxFailures>
</LoadBalancer>
<HealthMonitor>
<IsEnabled>true</IsEnabled>
<IntervalInSec>60</IntervalInSec>
<HTTPMonitor>
<Request>
<Verb>GET</Verb>
<Path>/.stealth-check</Path>
</Request>
<SuccessResponse>
<ResponseCode>200</ResponseCode>
</SuccessResponse>
</HTTPMonitor>
</HealthMonitor>
</HTTPTargetConnection>
</TargetEndpoint>
Merge this source code into your Apigee application proxy Target Endpoint code. Note and preserve the LoadBalancer and HealthMonitor sections. Save the modifications as a new revision.
7. Deployment
Your Inline installation code changes should now be complete.
Ask your Cequence Customer Success Team to review and confirm all changes.
Attachments
- Cequence Inline Upstream template
- Cequence Inline Hairpin template
- Cequence API Proxy
Version History
Date | Version | Notes |
Jun 22, 2024 | 5 | Updated with latest Apigee screenshots. |
Sep 20, 2023 | 4 | Updated for caching tokens across multiple calls. |
July 25, 2023 | 3 | Updated for newer FlowCallout policy support. |
Feb 4, 2023 | 2 | Updated with improved layout. |
Jan 14, 2023 | 1 | Initial version. |