MuleSoft is excited to announce the general availability of Anypoint Flex Gateway 1.4.0. Anypoint Flex gateway is a part of MuleSoft’s vision to provide Universal API management to any API. This release helps your organization get closer to securely working with any API built and deployed anywhere.
Anypoint Flex Gateway 1.4.0 release includes various out-of-the-box policies (JSON Threat Protection, Schema Validation, and Health Check) and additional Connected Mode features such as Transport Layer Security (TLS) context configuration and policy execution order that were previously included for Local Mode in Anypoint Flex Gateway 1.3.0 release.
Additional Connected Mode Features
In this section, you can find additional Connected Mode features previously added to Local mode. The configuration for these features can now be configured through the UI in API Manager.
Configuring TLS and mTLS contexts
TLS and mTLS contexts protect the communication between various services by encrypting inbound and outbound traffic. In this release, MuleSoft is providing additional TLS and mutual authentication TLS (mTLS) context configurations for Connected Mode such as
- configuring TLS and mTLS contexts for both inbound and outbound paths
- enabling mTLS from API proxies to upstream services
In Connected Mode, you can set up TLS context to an API by
- Setting up a secret group
- Following the steps outlined in Apply a TLS Context to an API
**Note** Flex Gateway implements TLS context at the port level. Therefore, all API instances that share the same port will also have the TLS context applied to them. To learn more about how TLS context is shared across ports, see TLS Context Applied to Shared Ports.
For more information on how you can implement TLS and mTLS contexts, see the full documentation.
Policy Execution Ordering
You can now configure the execution order of policies using the UI in API Manager. This allows you to execute certain policies before others.
Note: Cross-Origin Resource Sharing (CORS) policy executes before automated and API level policies.
Route external HTTP connection with forward proxy
A forward proxy enables you to route external HTTP Flex Gateway connections through a proxy connection to protect your internal network.
You can route the following connections through the forward proxy:
- Connections to Anypoint Platform
- Outbound policy connections
- Connections to upstream services
- HTTP (Fluent Bit) log connections
For Connected Mode, to configure for forward proxy, you need to specify the –https-proxy flag with your proxy address when you register your Flex Gateway.
For more information, you can check out the documentation.
Enhance security and monitoring with new included policies
Gateway Policies enable you to enforce regulations to help manage security, control traffic, and improve the adaptability of your APIs. Anypoint Flex Gateway now has 21 included policies that simplify configuring necessary controls without restarting the gateway.
Let’s dive into the newest policies that were released with 1.4.0.
JSON Threat Protection Policy
Applications processing JSON requests are susceptible to attacks characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources. You can now minimize the risk posed by content-level attacks by specifying limits on JSON structures using the JSON Threat Protection policy.
With the policy, you can specify the following parameters in both Local and Connected Mode to ensure that JSON requests:
- Maximum Container Depth: Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth.
- Maximum String Value Length: Specifies the maximum length of a string value
- Maximum Object Entry Name Length: Specifies the maximum string length of an object’s entry name
- Maximum Object Entry Count: Specifies the maximum number of entries in an object
- Maximum Array Element Count: Specifies the maximum number of elements in an array
When a limit is reached, you can expect to get a 400 Bad Request and limits the execution of that request. The below image shows what you can expect when configuring the policy in Connected Mode.
Schema Validation Policy
Applications processing REST API requests are susceptible to attacks such as header injection and payload injection. Additional vulnerabilities can lead to the access of sensitive information. The Schema Validation policy protects against such attacks and vulnerabilities by validating traffic against a supplied API specification.
The policy currently supports OpenAPI Specification 3.0 (OAS3) schema validations. It checks request headers, queries, or path parameters to validate the content against
- The presence of all required properties
- The presence or absence of additional properties
- The types of all properties. For example, if a schema specifies a property as an integer, the request must include an integer and not another type, such as a string.
- The format of the properties. For example, if the pattern keyword is specified, the policy validates the property as a regular expression.
For Connected Mode, you can catalog API specifications in Anypoint Exchange and attach them to the API configuration when deploying to Flex Gateway. Anypoint Exchange is your internal marketplace provided by MuleSoft that allows you to auto-document API specifications, share APIs, and request access.
With the policy, you can choose to block or allow the request. If blocking the request (True), then the gateway will return the 400 error status code with the message “The request properties do not comply with the API specifications.” If allowing the request (False), then the gateway will log the error and return the status code of the request.
The below image shows what you can expect when configuring the policy in Connected Mode.
For more information on configuring the policy in Local Mode, you can check the details in the documentation.
Health Check Policy
Lastly, with the Health Check policy, you can now monitor API upstream health and connection attempts by receiving email alerts. The policy makes GET requests to a specified API base path at a fixed schedule to check for certain response codes (2xx codes are the most ideal).
With the policy, you can specify the following parameters in Connected Mode:
- Upstream URL: The full URL of the API upstream you are monitoring
- Base path: The HTTP path of the GET method that is requested during health checks
- Response code: The expected status code of the GET request specified in the base path. Only a number response code is accepted.
Note: Health Check policy is not compatible with TLS.
The below images show what you can expect when configuring the policy in Connected Mode. To enable the policy, you also need to create an alert for the API to configure email notifications which the setup takes you to after specifying the parameters.
With both Schema Validation and JSON Threat Protection policies, you can now ensure that your APIs are well protected from request injections that can put your data at risk or slow down your application’s performance. And with the Health Check policy, you can monitor your APIs proactively to ensure they are available to your users and troubleshoot when needed.
Get started with Anypoint Flex Gateway 1.4.0
With the additional security and monitoring features, you can now control your APIs to protect them through UI.
Learn more about Anypoint Flex Gateway in these resources:
- Build modern apps and architectures with MuleSoft’s Anypoint Flex Gateway
- Anypoint Flex Gateway tutorials
To try out the gateway for yourself, sign up for a free 30-day trial on Anypoint Platform. We would love your feedback on Anypoint Flex Gateway and this release. If you have any enhancement requests, please let us know through our Ideas page.