PingIntelligence provides an XML policy file to integrate PingIntelligence and Azure API Management Service. This policy can be applied at an individual API level, for all the APIs, to a group of APIs, or for an operation of an API.

PingIntelligence recommends that the PingIntelligence policy be the first policy in the Azure policy XML. This ensures that all the traffic is captured by ASE and sent to PingIntelligence AI engine for analysis.

Complete the following steps to deploy the PingIntelligence policy:
  1. Download the PingIntelligence policy XML file from the Sideband Integration section of the download page
  2. Login to your Azure account and create the following Named value in your API Management service
    • ase-primary: The primary ASE node.
    • ase-secondary: The secondary ASE node. The traffic is redirected to the secondary ASE node if the primary ASE node is not reachable.
      Note: Make sure that the ASE primary and secondary IP address is followed by a /.
    • ase-token: The authentication token for secure communication between Azure API Management service and ASE.
    • connection-timeout: The number of seconds for which the API Management Service waits for ASE to respond.
    • enable-async-mode: Set the value to true to enable asynchronous mode between APIM and ASE. When the asynchronous mode is enabled, the Azure gateway does not wait for a response from ASE and sends the request to the backend server. The ASE performs detailed API activity reporting and attack detection without blocking of attacks. If you do not want to enable asynchronous mode, set the value to false. In this case, the Azure gateway does not send the API request to the backend server, until it receives a response from ASE.
    • oauth2-jwt-username-claim: JWT claim name for username.
    • oauth2-token-qs-name: The name of the query string parameter that contains the OAuth token. If you choose not to intercept the OAuth tokens coming as part of query string, then set the value to @(null).
      Note: The PingIntelligence policy extracts the OAuth token from the query string, configured in oauth2-token-qs-name. A new Authorization header- Authorization: Bearer <OAuth token> is added to the metadata sent to ASE. If there is an existing Authorization header, the token is prepended so that ABS AI engine can analyse it. If the query string has multiple query parameters with the same name, the first parameter is intercepted by the policy.
    • retry-count: The number of times APIM tries to connect to ASE.

    If you change any of the Named Values after the policy is operational, it takes 60-seconds for the change to be applicable. For example, if you change the ase-primary node IP address, the new IP address would take effect only after 60-seconds.

  3. Open the downloaded PingIntelligence policy XML file and copy the policy at the desired level: All APIs, individual APIs, operation level, or Group of APIs. Click on Policies in the Inbound processing UI box and paste the policy.
    Note: The PingIntelligence policy does not validate the authenticity of a JWT. Configure the PingIntelligence policy after <validate-jwt> policy.