Cequence API Security Platform (ASP) can be natively integrated with the Kong API Gateway. Inline Integration is enabled by updating an existing Kong Service.
Inline Integration
API traffic is routed from Kong to Cequence en route to the API server.
Inline Data flow - Upstream Deployment
- API Client sends a request to the application which will be received and handled by the Kong Gateway
- Within Kong Gateway, the respective service forwards the request to Cequence API Security Platform (ASP), where it is recorded, and processed for discovery, analysis, and threat mitigation. At this point the request can be blocked, redirected, or mitigated - by Cequence's threat mitigation policy action if configured.
- Vetted requests are forwarded by Cequence ASP to the application API server where it is handled.
- The API Response is forwarded back to Cequence ASP.
- Cequence ASP, reviews the response for sensitive data, records relevant information, and returns it to the Kong Gateway.
- Kong Gateway sends the response downstream to the API client.
Notes on Integration Steps - Upstream Deployment:
- The existing Kong Service hostname will be replaced by a load balanced hostname pointing at Cequence ASP hostname as the primary and API backend service hostname as the secondary witih appropriate health checks in place. This is done in the case of both Cequence ASP and API backend service hostnames being resolvable externally.
- For internal backends, the service hostname will made to point at an upstream host created on Kong. The upstream host internally would point at 2 targets - one with weight 1000 , other with weight 1 (since there is no native failover based load balancing available on Kong). This will ensure that only 1 out of every 1000 requests will be routed to the API backend service. In the event of a Cequence failure, all requests will be routed to the API backend service.
Inline Data flow - Hairpin Deployment
- API Client sends a request to the application which will be received and handled by the Kong Gateway.
-
Within Kong Gateway, the respective service forwards the request to Cequence API Security Platform (ASP), where it is recorded, and processed for discovery, analysis, and threat mitigation. At this point the request can be blocked, redirected, or mitigated - by Cequence's threat mitigation policy action if configured.
- Vetted requests are forwarded by Cequence ASP request back to the Kong Gateway.
- Kong Gateway forwards the request to the application API server where it is handled.
- The API Server responds back through the Kong Gateway.
- The API Response is forwarded back to Cequence ASP.
- Cequence ASP, reviews the response for sensitive data, records relevant information, and returns it to the Kong Gateway.
- Kong Gateway sends the response downstream to the API client.
Notes on Integration Steps - Hairpin Deployment:
- The integration steps for Hairpin deployment are identical to Upstream Deployment. The only difference is when Cequence forwards request back to Kong Gateway, at this stage the Kong Gateway needs to look up a special header injected by Cequence to ensure it routes the request onwards to the API backend service appropriately.
- This routing by looking up the header is achieved by enabling a plugin - Route by Header available with Kong Enterprise.