+
+

Secure your APIs with Anypoint Flex Gateway in connected mode (API Manager)

10 min read
Was this tutorial helpful?
Thank you for your feedback!

When you install Flex Gateway in connected mode, you can view your gateways, your API instances, and policy configurations in API Manager. Once you have installed, registered, and started your gateway in connected mode, you can now secure your APIs from API Manager.

In this tutorial, you’ll learn how to:

  • Add a new API in API Manager
  • Test the gateway is correctly configured with our REST API
  • Change the base path to call the API
  • Apply a basic authentication policy to the API
  • Apply a rate-limiting policy to the API


Prerequisites

  • Anypoint Platform - We’ll need an Anypoint Platform account to manage our Flex Gateway. You can sign up for a free trial account here.
  • curl - A command-line tool to make calls to the APIs. You can download it here. If you prefer a GUI over a command line, install a REST Client instead.
  • REST client - If you’re not very familiar with curl, you can also install Advanced REST Client, Postman, or any other app of your choice to make calls to the APIs using a GUI.
  • Install Flex Gateway in connected mode (Runtime Manager) - You need to install, register, and start Flex Gateway in connected mode. At least one Flex Gateway replica must be connected in Runtime Manager. To do that, follow this tutorial first:

Add a new API in API Manager

1 - Log in to Anypoint Platform and navigate to API Manager. You can access it through the menu button on the top left of the screen. Click on Add API > Add new API.

API Manager > Add API > Add new API

2 - Select the Flex Gateway runtime and select the target gateway you created in the previous tutorial (link in the prerequisites). Click on Next.

API Manager > Add API > Runtime

3 - Let’s create a new API to see the steps and configuration needed from Exchange. Select the Create new API option. Add the name of the API you want to create in Exchange. For example, JSONPlaceholder. Select HTTP API as the asset type and click on Next.

API Manager > Add API > API

4 - Add the Implementation URI so the gateway knows which URI to use for this API. In our case, let’s add the following:

https://jsonplaceholder.typicode.com/

You can leave all the defaults and click on Next.

API Manager > Add API > Endpoint

5 - Review all your details and click Save & Deploy.

API Manager > Add API > Review

6 - You should now have a new API with an Active status.

API Manager > Settings

Test the gateway

We finished the setup to connect our Flex Gateway (Runtime Manager/local) to the API we just created in Exchange (from API Manager). Now we need to test this connection.

1 - Go to your command line or your REST Client and make a call to the following URL. This is only to verify the original API’s URL is working before we try to hit it from the gateway.

URL:

https://jsonplaceholder.typicode.com/users/1

curl command:

1
curl https://jsonplaceholder.typicode.com/users/1

Postman:

Postman

2 - Now let’s call the same endpoint but now from the gateway in our local machine.

URL:

http://localhost:8081/users/1

curl command:

1
curl http://localhost:8081/users/1

Postman:

Postman

We have verified we are connected to the API through our gateway.

If you run the curl command with the -v argument, you will be able to see at least one envoy header being returned in the response. The gateway adds this. You can also see it in Postman from the Headers tab in the response section.

Change the base path

Now that we know our gateway is connected to the API, let’s do some changes from API Manager to see them reflected almost immediately.

1 - In API Manager, make sure you are located inside the API we just created. Click on the Settings tab from the left and scroll down until you see the Runtime & Endpoint Configuration option. Click on it to reveal the configuration.

API Manager > Settings > Runtime & Endpoint Configuration

2 - Change the Base Path to be /api and make sure the Implementation URI doesn’t end in /. Click on Save & Apply.

API Manager > Settings > Runtime & Endpoint Configuration settings

You won’t be able to send requests to the previous URI in a couple of seconds (or in less than a second). The base path now has to include /api. Use the following URL to make calls from curl or Postman. You should receive the same response as before.

New URL:

http://localhost:8081/api/users/1

Postman sometimes caches the response. If you do not see changes after a while, try using curl or your browser instead.

Apply a basic authentication policy

Now let’s see how to apply some policies to our gateway. Still inside your API in API Manager, select the Policies tab from the left side of the screen.

API Manager > Policies

After you click on Add policy, all the predefined policies will be listed here. You can search by policy name or browse by category.

API Manager > Add policy

1 - To apply the basic authentication policy, select it from the security category and click on Next.

API Manager > Add policy > basic auth

2 - Add any values you want to set up. In our case, let’s add the following values:

User Name foo
User Password bar

Leave the rest of the options with the default values and click Apply.

API Manager > Add policy > basic auth > configuration

3 - You won’t be able to send requests to the previous URI. The request now has to include this basic auth. Once you add the credentials to the request, you should receive the same response as before.

curl command:

1
curl -u foo:bar http://localhost:8081/api/users/1

Postman:

API Manager > Add policy > basic auth > configuration

From Postman, click on View > Toggle Two-Pane View to see your request on the left side of the screen and your response on the right side.

Apply a rate-limiting policy

1 - Click on Add policy to add an additional policy to our current API. Select the Rate Limiting policy from the quality of service category. Click on Next.

API Manager > Add policy

2 - Add any values you want to set up. In our case, let’s add the following values for testing purposes:

Number of Requests 5
Time Period 10
Time Unit Second
Expose Headers True ✅

Leave the rest of the options with the default values and click Apply.

API Manager > Add policy > rate limiting

3 - You can try to send several requests from Postman and you’ll eventually get a 429 Too Many Requests status code. You can take a look at the response headers to see the 3 rate-limiting headers and their values.

Postman

If you’re using curl, you can use the following command to send one request per second until you get the “Too many requests” response. This is helpful to visualize the response headers easier.

1
while true ; do curl -v -u foo:bar http://localhost:8081/api/users/1 ; sleep 1 ; done

Terminal

Next Steps

In this tutorial, you learned how to:

  • Add a new API in API Manager
  • Test that the gateway was correctly configured with our REST API
  • Change the base path to call the API
  • Apply a basic authentication policy to the API
  • Apply a rate-limiting policy to the API

Remember to visit our other Flex Gateway tutorials to learn how to install it in different deployment options: in local mode, as a Linux service, or as a Kubernetes ingress controller. You can find the list of other Flex Gateway tutorials here.

Try Anypoint Platform for free

Start free trial