End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
How to Set Up Policies
Learn how to use F5 NGINX Management Suite API Connectivity Manager to set up policies.
Overview
In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.
When you add policies at the environment level, they will apply to all proxies hosted within that environment.
See the Learn about Policies topic for an overview of the different policy types and available policies.
Before You Begin
Complete the following prerequisites before proceeding with this guide:
- API Connectivity Manager is installed, licensed, and running.
- You have one or more Environments with API Gateways or Developer Portals.
How to Access the User Interface
This guide provides instructions for completing tasks using the API Connectivity Manager user interface (UI).
To access the UI, go to the FQDN of your NGINX Instance Manager host and log in. On the Launchpad menu, select “API Connectivity Manager.”
Set Up Global Policies
Global Policies are configured at the environment level and apply to all clusters and proxies within the environment.
The following table shows the available Global Policies you can use when creating a new cluster.
Legend:
- = Supported
- = Not supported
- = Applied by default
Policy Name | HTTP Environment | gRPC Environment | Applied On | Description |
---|---|---|---|---|
Error Response Format | Outbound | Configure the Error Response Format policy to customize the HTTP error codes and error messages. | ||
Log Format | Outbound | Use the Log Format global policy to generate detailed access logs in JSON (default) or syslog format. Among the settings you can select, use the filter to fine-tune what gets logged, set the log destination, and adjust the log severity level to specify the type of errors to log. | ||
OpenID Connect Relying Party | Inbound | Secure access to your APIs with an OpenID Connect (OIDC) policy. This policy configures the API gateway proxy as a relying party for authenticating users with an OIDC provider. | ||
Proxy Response Headers | Inbound | Customize the Proxy Response Headers policy to include or exclude headers in the proxy response. By default, the standard headers are included in the response. In addition, you can specify whether the header is always included regardless of the response code. You can also add custom headers and values to include in the response. | ||
Request Body Size Limit | Inbound | Prevent Denial-of-Service (DoS) and other types of attacks by limiting the request body size. Customize the policy to configure the max payload size the API gateway proxy cluster can accept; the default limit is 1 MB. The API gateway proxy blocks requests exceeding the limit, while returning the configured error code. Set the max size to 0 to disable checking the request body size. | ||
Request Correlation ID | Inbound | Apply the Correlation ID policy to add a unique identifier to each request entering the application. You can use this unique ID to trace end-to-end transactions moving through components in a distributed system. The policy uses x-correlation-id as the default HTTP header name, or you can provide a custom header value. |
||
Request Header Specification | Inbound | Configure if headers containing underscores or other special characters are accepted or ignored. | ||
TLS Backend | Backend | Secure the communication between the API gateway proxy and the backend API service by enabling and customizing the TLS backend policy. When mTLS is enabled, the API gateway proxy identifies itself to the backend service using an SSL client certificate. | ||
TLS Inbound | Inbound | Secure inbound connections with the TLS inbound policy. Enable mTLS for secure bidirectional communication. |
To manage Global Policies, take the steps below:
- In the API Connectivity Manager user interface, go to Infrastructure > Workspaces > Environments.
- Select the Environment that holds the cluster that you want to configure, then select the Cluster name.
- Select the Manage icon for the cluster that you want to configure.
- Select the Global Policies tab.
- Add, Edit, or Remove as desired.
- Save and Submit your changes.
Add a Policy
Take the steps in this section to add a new policy to a cluster.
- Go to Manage > Global Policies for the cluster.
- Select Add Policy from the policy’s Actions menu.
- Complete the form provided to configure the policy, then select Add.
- Save and Submit your changes.
Edit a Policy
To edit a policy, take the steps below.
- Go to Manage > Global Policies for the cluster.
- Select Edit Policy from the policy’s Actions menu.
- Edit the policy as needed.
- Select Save and Save and Submit.
Remove a Policy
To remove a policy, take the steps below.
- Go to the Global Policies tab for the cluster.
- Select Remove Policy from the policy’s Actions menu.
Set Up API Proxy Policies
The following table shows the available API Proxy Policies you can use when creating an API gateway.
Legend:
- = Supported
- = Not supported
- = Applied by default
Policy Name | HTTP Proxy | gRPC Proxy | Applied On | Description |
---|---|---|---|---|
Access Control Routing | Inbound | Restrict access to your application servers based on JWT claims or header values. | ||
ACL Consumer Restriction | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain consumers client IDs or authenticated JWT claims. | ||
ACL IP Restriction | Inbound | Protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks | ||
Advanced Security | Inbound | Protect your upstream TCP application servers by applying an NGINX App Protect WAF policy to the traffic to your proxy | ||
Allowed HTTP Methods | Inbound | Restrict access to specific request methods and set a custom response code for non-matching requests. | ||
APIKey Authentication | Inbound | Secure the API gateway proxy by adding an API key. | ||
HTTP Backend Config | Inbound | Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource usage. | ||
GRPC Backend Config | Inbound | Customize settings to ensure fault tolerance, maximize throughput, reduce latency, and optimize resource usage. | ||
Backend Health Check | Backend | Perform regular health checks to the backend API service to avoid and recover from server issues. Customize the policy with your desired thresholds. | ||
Basic Authentication | Inbound | Restrict access to APIs by requiring a username and password. | ||
CORS | Inbound | Configure cross-origin resource sharing (CORS) to control resource access from outside domains. | ||
JSON Web Token Assertion | Inbound | Secure your API gateway proxy with JSON web token verification. | ||
OAuth2 Token Introspection | Inbound | Secure your API gateway proxy with OAuth2 Tokens. | ||
Proxy Cache | Outbound | Enable and configure caching to improve the performance of your API gateway proxy. | ||
Proxy Request Headers | Backend | Configure the headers to pass to the backend API service. | ||
Rate Limit | Inbound | Add rate limits to limit incoming requests and secure API workloads. |
Any Global Policies will automatically be applied when you add an API Proxy. You can also configure any of the optional policies at the proxy level.
To manage Proxy Policies, take the steps below.
- In the API Connectivity Manager user interface, go to Services > Workspaces > Proxies.
- Select Edit Proxy from the Actions menu for the Proxy that you want to configure.
- Select the Policies tab.
- Add, Edit, or Remove as desired.
- Save and Publish your changes.
Add a Policy
Take the steps in this section to add a new policy to a cluster.
- Go to Edit Proxy > Policies.
- Select Add Policy from the policy’s Actions menu.
- Complete the form to configure the policy, then select the Add button.
- Save and Submit your changes.
Edit a Policy
Take the steps below to edit a policy.
- Go to Edit Proxy > Policies.
- Select Edit Policy from the policy’s Actions menu.
- Edit the policy as needed.
- Select Save, then Save and Publish.
Remove a Policy
To remove a policy, take the steps below.
- Go to Edit Proxy > Policies.
- Select Remove Policy from the policy’s Actions menu.
Set Up Cluster Policies
Cluster Policies are applied to all the proxies belongnig to the desired cluster. In another words, these policies are applied to a cluster of F5 NGINX Plus instances which can have one or more API Gateways and Developer Portals deployed on them.
The following table shows the available Cluster Policies you can use when creating a new cluster.
Legend:
- = Supported
- = Applied by default
Policy Name | HTTP Environment | gRPC Environment | Applied On | Description |
---|---|---|---|---|
Cluster Wide Config Setting | inbound | Fine tune the settings to speed up data processing and improve the performance of the API proxy for large number of connections. When applied, the settings are applicable to all the instances in a proxy cluster. If the proxy cluster is shared between environments, the changes made in any environment will be reflected in all the other environments. | ||
Cluster Zone Sync | inbound | Enables runtime state sharing between the instances belonging to a proxy cluster. Options configured through this policy affect other policies such as rate limit and OIDC. This policy is applied to all the instances in a proxy cluster. If the proxy cluster is shared between environments, any changes made to this policy will affect all the other environments. |
To manage Cluster Policies, take the steps below:
- In the API Connectivity Manager user interface, go to Infrastructure > Workspaces > Environments.
- Select the Environment that holds the cluster that you want to configure, then select the Cluster name.
- Select the Manage icon for the cluster that you want to configure.
- Select the Cluster Policies tab.
- Add, Edit, or Remove as desired.
- Save and Submit your changes.
Add a Policy
Take the steps in this section to add a new policy to a cluster.
- Go to Manage > Cluster Policies for the cluster.
- Select Add Policy from the policy’s Actions menu.
- Complete the form provided to configure the policy, then select Add.
- Save and Submit your changes.
Edit a Policy
To edit a policy, take the steps below.
- Go to Manage > Cluster Policies for the cluster.
- Select Edit Policy from the policy’s Actions menu.
- Edit the policy as needed.
- Select Save and Save and Submit.
Remove a Policy
To remove a policy, take the steps below.
- Go to the Cluster Policies tab for the cluster.
- Select Remove Policy from the policy’s Actions menu.