Secure your APIs with Anypoint Flex Gateway in connected mode (API Manager)

This tutorial was updated in October 2022 and is based on Flex Gateway 1.2.0.

When you install Flex Gateway in connected mode, you can view your gateways, your API instances, and policy configurations in API Manager. Once you have installed, registered, and started your gateway in connected mode, you can now secure your APIs from API Manager.

In this tutorial, you’ll learn how to:

• Add a new API in API Manager
• Test the gateway is correctly configured with our REST API
• Change the base path to call the API
• Apply a basic authentication policy to the API
• Apply a rate-limiting policy to the API
• Manage several APIs with the same gateway

Prerequisites

• Anypoint Platform - We’ll need an Anypoint Platform account to manage our Flex Gateway. You can sign up for a free trial account here.
• curl - A command-line tool to make calls to the APIs. You can download it here. If you prefer a GUI over a command line, install a REST Client.
• REST client - If you’re unfamiliar with curl, you can also install Advanced REST Client, Postman, or any other app of your choice to make calls to the APIs using a GUI.
• Install Flex Gateway in connected mode (Runtime Manager) - You must install, register, and start Flex Gateway in connected mode. At least one Flex Gateway replica must be connected in Runtime Manager. To do that, follow any of these tutorials first:
  • How to install Anypoint Flex Gateway in connected mode as a Docker container
  • How to install Anypoint Flex Gateway in connected mode as a Kubernetes Ingress Controller
  • How to install Anypoint Flex Gateway in connected mode as a Linux service

Add a new API in API Manager

1 - Log in to Anypoint Platform and navigate to API Manager. You can access it through the menu button on the top left of the screen. Click on Add API > Add new API.

2 - Select the Flex Gateway runtime and select the target gateway you created in the previous tutorial (link in the prerequisites). Click on Next.

3 - Let’s create a new API to see the steps and configuration needed from Exchange. Select the Create new API option. Add the name of the API you want to create in Exchange. For example, JSONPlaceholder. Select HTTP API as the asset type and click on Next.

4 - Add the Implementation URI so the gateway knows which URI to use for this API. In our case, let’s add the following:

https://jsonplaceholder.typicode.com

5a - If you’re running Flex Gateway as a Docker container or as a Linux service, you can leave all the defaults and click on Next.

5b - If you’re running Flex Gateway as a Kubernetes Ingress Controller, click on Advanced options and change the port to 80. Click on Next.

We’re using port 80 because that’s the port associated with HTTP. You can verify the port for your configuration by running kubectl get services --namespace gateway.

6 - Review all your details and click Save & Deploy.

7 - You should now have a new API with an Active status.

Test the gateway

We finished the setup to connect our Flex Gateway (Runtime Manager) to the API we just created in Exchange (from API Manager). Now we need to test this connection.

1 - Go to your command line or your REST Client and make a call to the following URL. This is only to verify the original API’s URL is working before we try to hit it from the gateway.

URL:

https://jsonplaceholder.typicode.com/users/1

curl command:

1
curl https://jsonplaceholder.typicode.com/users/1

Postman:

Now let’s see what is the URL we need to use to call the API through our newly set up Flex Gateway. We should use the gateway’s host and port, like so: http://<host>:<port>/users/1.

2a - If you installed it as a Docker container or as a Linux service on your local machine, you can use localhost and port 8081.

http://localhost:8081/users/1

2b - If you installed it as a Kubernetes Ingress Controller, you can use the following command to get the external IP (or public host).

Command:

1
kubectl get services --namespace gateway

Output:

1
2
NAME      TYPE           CLUSTER-IP       EXTERNAL-IP                         PORT(S)                      AGE
ingress   LoadBalancer   172.21.104.120   550f1-279.us-west-1.amazonaws.com   80:30253/TCP,443:30270/TCP   4m23s

In this case, we should use the following URL:

http://550f1-279.us-west-1.amazonaws.com:80/users/1

3 - Once you know which URL you need to use, call it using either curl or Postman. The response should be the same one you get when calling the API directly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
  "id": 1,
  "name": "Leanne Graham",
  "username": "Bret",
  "email": "Sincere@april.biz",
  "address": {
    "street": "Kulas Light",
    "suite": "Apt. 556",
    "city": "Gwenborough",
    "zipcode": "92998-3874",
    "geo": {
      "lat": "-37.3159",
      "lng": "81.1496"
    }
  },
  "phone": "1-770-736-8031 x56442",
  "website": "hildegard.org",
  "company": {
    "name": "Romaguera-Crona",
    "catchPhrase": "Multi-layered client-server neural-net",
    "bs": "harness real-time e-markets"
  }
}

We have verified we are connected to the API through our gateway. You will use this host and port from now on for the rest of the tutorial.

Make sure the port you use in the URL matches the one you set up in API Manager.

If you run the curl command with the -v argument, you will be able to see at least one envoy header being returned in the response. For example, curl -v <URL>. The gateway adds this. You can also see it in Postman from the Headers tab in the response section.

Change the base path

Now that we know our gateway is connected to the API, let’s do some changes from API Manager to see them reflected almost immediately.

1 - In API Manager, make sure you are located inside the API we just created. Click on the Settings tab from the left and scroll down until you see the Runtime & Endpoint Configuration option. Click on it to reveal the configuration.

2 - Change the Base Path to be /api and make sure the Implementation URI doesn’t end in /. Click on Save & Apply.

3 - You won’t be able to send requests to the previous URI in a couple of seconds (or in less than a second). The base path now has to include /api. Use curl or Postman to test the new URI. You should receive the same response as before. For example:

Before:

http://localhost:8081/users/1

After:

http://localhost:8081/api/users/1

Postman sometimes caches the response. If you do not see changes after a while, try using curl or your browser instead.

Apply a basic authentication policy

Now let’s see how to apply some policies to our gateway. Still inside your API in API Manager, select the Policies tab from the left side of the screen.

After you click on Add policy, all the predefined policies will be listed here. You can search by policy name or browse by category.

1 - To apply the basic authentication policy, select it from the security category and click on Next.

2 - Add any values you want to set up. In our case, let’s add the following values:

Leave the rest of the options with the default values and click Apply.

3 - You won’t be able to send requests to the previous URI. The request now has to include this basic auth. Once you add the credentials to the request, you should receive the same response as before. For example:

curl command:

1
curl -u foo:bar http://localhost:8081/api/users/1

Postman:

From Postman, click on View > Toggle Two-Pane View to see your request on the left side of the screen and your response on the right side.

Apply a rate-limiting policy

1 - Click on Add policy to add an additional policy to our current API. Select the Rate Limiting policy from the quality of service category. Click on Next.

2 - Add any values you want to set up. In our case, let’s add the following values for testing purposes:

Leave the rest of the options with the default values and click Apply.

3a - You can try to send several requests from Postman and you’ll eventually get a 429 Too Many Requests status code. You can take a look at the response headers to see the 3 rate-limiting headers and their values.

3b - If you’re using curl, you can use the following command to send one request per second until you get the "Too many requests" response. This is helpful to visualize the response headers easier. Make sure to replace the given URI example with your own.

1
while true ; do curl -v -u foo:bar http://localhost:8081/api/users/1 ; sleep 1 ; done

Manage several APIs with the same gateway

Before version 1.2.0, you needed to create a gateway replica per API you wanted to manage in API Manager and each replica should be assigned a different port. Since this version, it is possible to manage more than one API with the same gateway replica.

1 - Add the other APIs in API Manager just as we did at the beginning of the tutorial.

2 - Each API must have a different base path so the gateway can route each call appropriately. For example:

Products API

Users API

With this configuration, you can keep both under the same port. The only difference is the base path to call your gateway.

Next Steps

In this tutorial, you learned how to:

• Add a new API in API Manager
• Test that the gateway was correctly configured with our REST API
• Change the base path to call the API
• Apply a basic authentication policy to the API
• Apply a rate-limiting policy to the API
• Manage several APIs with the same gateway

If you want to add more policies to your gateways, make sure they’re compatible with Flex Gateway first. See Included Policies Directory.

Remember to visit our other Flex Gateway tutorials to learn how to install it in different deployment options: in local mode, as a Linux service, as a Docker container, or as a Kubernetes ingress controller. You can find the list of other Flex Gateway tutorials here.