Inline mode

In PingIntelligence inline deployment mode, API Security Enforcer (ASE )sits at the edge of your network to receive the API traffic. It can also be deployed behind an existing load balancer such as AWS ELB. In the inline mode, ASE deployed at the edge of the datacenter, terminates SSL connections from API clients. It then forwards the requests directly to the APIs, API Gateways, or app servers such as Node.js, WebLogic, Tomcat, PHP, etc.

To configure ASE to work in the Inline mode, set the mode=inline in the ase-defaults.yml file.

Following is a high-level description of traffic flow:
  1. Client request is received by ASE. The request is logged in access log file. ASE then forwards the request to the backend server. The response is received by ASE and logged in the access log file.
  2. The request and response in the access log file is sent to ABS AI engine for processing. ABS AI engine generates the attack list which is fetched by ASE. The future requests received by ASE are either forwarded to the backend server or blocked by ASE based on the attack list.
  3. The AI engine data is stored in MongoDB
  4. PingIntelligence for APIs Web GUI fetches the data from ABS to display in the dashboard.

Sideband mode

When PingIntelligence is deployed in the sideband mode, a sideband policy is added to the API Gateway which makes calls to ASE to pass API request and response metadata. In this mode, ASE does not terminate the client requests.

To configure ASE to work in the sideband mode, set the mode=sideband in the ase-defaults.yml file.

Following is a description of the traffic flow through the API gateway and Ping Identity ASE.

  1. Incoming request to API gateway
  2. API gateway makes an API call to send the request metadata in JSON format to ASE
  3. ASE checks the request against a registered set of APIs and checks the client identifier against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the API gateway. Else, a different response code is sent to the Gateway. The request is also logged by ASE and sent to the AI Engine for processing.
  4. When the API gateway receives a response from ASE, then it forwards the request to the backend server unless blocking is enabled and the client is on the blacklist.
  5. The response from the backend server is received by the API gateway.
  6. The API gateway makes a second API call to pass the response information to ASE which sends the information to the AI engine for processing.
  7. ASE receives the response information and sends a 200-OK to the API gateway.
  8. API gateway sends the response received from the backend server to the client.
Note: Complete the ASE sideband mode deployment by referring to API gateway specific deployment section on the PingIntelligence documentation site.