Cequence Unified API Protection (UAP) integrates with a wide range of network infrastructure components, including an Istio Service Mesh, an open-source service mesh that layers transparently onto existing distributed applications.
Cequence Architecture Overview
Cequence UAP is comprised of control plane components running in the UAP control platform and data plane components. Both the UAP control platform and the data plane components may be SaaS hosted or run 'on-prem' in a customer-managed environment.
The UAP control platform includes CQAI functions as the analysis platform and includes the core analytics engine and management modules for API Sentinel and Bot Defense. CQAI performs ML-based analysis of each API transaction, feeding the results to API Sentinel and Bot Defense for remediation and mitigation.
Data plane components include the Cequence Sensor and Cequence Defender, which function to collect transactions and enforce mitigation. Sensor is a passive listener only and consumes mirrored traffic flow. Defender functions to both monitor network traffic and actively mitigate threats and must be deployed logically inline to transaction data flow.
Cequence Defender deployment to a reverse proxy configuration can be accomplished in one of two ways: inline-upstream or inline-hairpin. In both approaches, Cequence Defender is configured as topologically in-line with transaction data flow and logically between the client and the origin server(s).
In an Inline-upstream configuration, the reverse proxy forwards requests from the client directly to Defender, which then processes the request, mitigates if appropriate, and forwards the request on to the origin server(s). Responses flow through Defender in a similar manner.
In an Inline-hairpin configuration, both requests and responses are routed through the reverse proxy before being forwarded on to the origin server or client, respectively.
Istio Mesh Integration
The Cequence Defender container may be deployed to its own pod or co-located in the Istio Gateway pod.
Separate Pods: Istio Gateway Pod + Cequence Defender Pod - Hairpin Configuration
Co-located Pod: Envoy Proxy + Cequence Defender - Hairpin Configuration
Both of these configurations use the Cequence Defender hairpin configuration. Client requests to the Application are routed via Envoy Proxy in the Istio Gateway Pod to Cequence Defender. Defender processes the request based on Cequence Bot Defense detection and mitigation policies and routes the request back to the Envoy Proxy with an injected header. The Istio Envoy Proxy forwards this request to the Application. The Application response then flows back in the reverse direction, and is again routed through Defender.
This routing is defined as part of the VirtualService definition and achieved via header routing.
Step-by-step deployment instructions to integrate Cequence Defender into anIstio Service Mesh are available on request from the Cequence Success team.
See Cequence Technology Partners & Integrations for more information for other types of network infrastructures.