PingIntelligence

ASE deployment modes

API Security Enforcer supports REST and WebSocket APIs and can dynamically scale and secure system infrastructure. ASE can be deployed in Inline or Sideband mode.

Inline mode

In the inline deployment mode, ASE sits at the edge of your network to receive the API traffic. It can also be deployed behind an existing load balancers such as AWS ELB. In inline mode, API Security Enforcer deployed at the edge of the datacenter, terminates SSL connections from API clients. It then forwards the requests directly to the correct APIs – and app servers such as Node.js, WebLogic, Tomcat, PHP, etc.

oep1564009146604

To configure ASE to work in the Inline mode, set the mode=inline in the /opt/pingidentity/ase/config/ase.conf file.

Some load balancers (for example, AWS ELB) require responses to keep alive messages from all devices receiving traffic. In an inline mode configuration, ASE should be configured to respond to these keep alive messages by updating the enable_ase_health variable in the /opt/pingidentity/ase/config/ase.conf file. When enable_ase_health is true, load balancers can perform an ASE health check using the following URL: http(s)://<ASE Name>/ase where <ASE Name> is the ASE domain name. ASE will respond to these health checks.

Sideband mode

ASE when deployed in the sideband mode, works behind an existing API gateway. The API request and response data between the client and the backend resource or API server is sent to ASE. In this case, ASE does not directly terminate the client requests.

To configure ASE to work in the Inline mode, set the mode=sideband in the /opt/pingidentity/ase/config/ase.conf file.

zpg1564009147496

Following is a description of the traffic flow through the API gateway and Ping Identity ASE.

  1. Incoming request to API gateway

  2. API gateway makes an API call to send the request detail in JSON format to ASE

  3. ASE checks the request against a registered set of APIs and checks the origin IP against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the API gateway. Else, a different response code is sent to the Gateway. The request is also logged by ASE and sent to the AI Engine for processing.

  4. If the API gateway receives a 200-OK response from ASE, then it forwards the request to the backend server, else the Gateway returns a different response code to the client.

  5. The response from the backend server is received by the API gateway.

  6. The API gateway makes a second API call to pass the response information to ASE which sends the information to the AI engine for processing.

  7. ASE receives the response information and sends a 200-OK to the API gateway.

  8. API gateway sends the response received from the backend server to the client.

Complete the ASE sideband mode deployment by referring to API gateway specific deployment section on the PingIdentity documentation site.