End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
Release Notes
These release notes list and describe the new features, enhancements, and resolved issues in NGINX Management Suite API Connectivity Manager.
1.9.3
November 06, 2024
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.6.0 - 1.9.2
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Known Issues
You can find information about known issues in the Known Issues topic.
1.9.2
March 14, 2024
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.6.0 - 1.9.1
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- JWT tokens are overwritten when multiple proxies are assigned to one gateway (44636)
Known Issues
You can find information about known issues in the Known Issues topic.
1.9.1
October 05, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.6.0 - 1.9.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Module crashes when an OpenAPI spec is uploaded with a global security requirement that contains an empty security requirement object (44393)
Known Issues
You can find information about known issues in the Known Issues topic.
1.9.0
September 07, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.6.0 - 1.8.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Server URL templating in OpenAPI specification file
Now you can use templating for the server URL in a supplied OpenAPI specification. You must supply the full explicit
basePath
as part of the server URL in the OpenAPI specification file.When creating an API proxy using an OAS file, the following values will not be editable in the web interface if they are provided via the OAS spec file:
servers: url: http://{server}.hostname.com/api/{version} variables: server: default: customers version: default: v1 basePathVersionAppendRule: default : none stripBasePathVersion: default : false
-
OpenAPI specification support for OAuth2 JWT assertion policy
You can now specify an OAuth2 JWT assertion policy to apply to the API Proxy being created using an OpenAPI specification file.
-
Backend server configuration from OpenAPI specification file
You can provide the backend server configuration for upstream servers in an OpenAPI specification file using extensions specific to API Connectivity Manager. See the Publish an API Proxy documentation.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- A proxy deployed with a
specRef
field (OAS) andbasePathVersionAppendRule
set to other thanNONE
may cause versions to appear twice in the deployed location block (36666) - Resources deployed to a Developer Portal which has had its database reset cannot be updated or removed (43140)
- Certificates associated with empty instance groups can be deleted, resulting in a broken reference in the API Connectivity Manager module (43671)
- Deployment fails due to duplicate locations (43673)
- Cannot use TLS enabled backend with HTTP backend-config policy (44212)
Known Issues
You can find information about known issues in the Known Issues topic.
1.8.0
July 27, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.5.0 - 1.7.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Advanced security policy for proxies
You can use the Advanced Security policy to add a pre-defined NGINX App Protect to your deployment. This enhancement allows you to specify the rules for each API.
-
Publish APIs using OpenAPI Specification version 3.0 or 3.1
Now, you can publish APIs using OpenAPI Specification version 3.0 or 3.1
-
Added
matchRule
field to theroute
items inproxyConfig.ingress
The
matchRule
field is now available in theroute
items inproxyConfig.ingress
. This field is optional and allows you to define a path matching rule for advanced routes.The OpenAPI Specification now supports the
x-acm-match-rule
extension for defining match rules for paths within routes. If you don’t specify a value for this extension, it will default toEXACT
. The only allowed values formatchRule
are the stringsEXACT
andPREFIX
.
Changes in Default Behavior
This release has the following changes in default behavior:
-
Labels on proxies were added with future use cases in mind although without a current need. The proxy labels have been removed to avoid confusion as to their purpose.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Environments with WAF enabled may transition to a Failed status when a Developer Portal cluster is added. (43231)
Known Issues
You can find information about known issues in the Known Issues topic.
1.7.0
June 21, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.4.0 - 1.6.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
The new Advanced Security policy can be used to add a pre-defined NGINX App Protect configuration to your deployment. Doing so will apply the rules specified in the policy to your APIs.
-
Option added to allow API proxy to ignore invalid headers
The Request Header Specification policy allows headers with (.) and (_) characters to be proxied to backend services.
By default, NGINX server will drop all headers that contain (.) and (_) characters in the header name. Though not common, it is a legal character in headers. This feature will allow users to instruct NGINX to allow such headers to be proxied.
-
Regex support added to access control routing claims
Access control routing claims can be arrays. For example, roles and groups are typically represented as an array. You can now use a regular expression to match against claims embedded in arrays.
-
Ingress routing rules now allow using regular expressions
Regular expressions are now supported in routing rules. This will enable routing of requests that match against strings like
?wsdl
.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- The routes filter under the proxy metrics page won’t work with params (42471)
- Multiple entries selected when gateway proxy hostnames are the same (42515)
Known Issues
You can find information about known issues in the Known Issues topic.
1.6.0
May 11, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.3.0 - 1.5.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Create security policies using an OAS specification
With the latest update, you can now create APIKey and Basic Auth security policies using an OAS specification. This enhancement streamlines the process for creating policies, reduces errors, and improves system security. API Connectivity Manager and NGINX can be integrated into the build pipeline where you generate OpenAPI specs.
-
New buffer settings were added to the HTTP Backend Configuration Proxy policy to enhance performance
With the latest HTTP Backend Configuration Proxy policy update, you can now modify the size and location of buffer temporary files or turn off buffering altogether. This enhancement offers greater flexibility and control to API Connectivity Manager users, allowing them to optimize their system’s performance and improve the overall end-user experience.
-
Gain deeper insights into your environments with enhanced analytics and metrics
With this release, you can view more information about your environments. This includes the number of clusters and runtimes, the number of APIs available, and the total amount of data transmitted in and out of each cluster. Additionally, you can view graphs displaying crucial analytics, including traffic metrics, which can help you better understand your system’s performance.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- CORS policy doesn’t support proxying preflight requests to the backend when combined with an authentication policy (34449)
- TLS setting on listener is not reset when TLS policy is removed (41426)
- Developer Portal: When typing the links to use for the footer, the text boxes keep losing focus (41626)
- Array values in token claims are treated as string values (42388)
Known Issues
You can find information about known issues in the Known Issues topic.
1.5.0
March 28, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.2.0 - 1.4.1
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Use role-based access control for enhanced security and governance
With new built-in RBAC roles for API Connectivity Manager, administrators can grant or restrict user access to workspaces and features, empowering teams to manage their own workflows.
-
Proxy clusters can be shared across multiple environments (hostnames).
-
Secure handling of sensitive data
API Connectivity Manager now provides enhanced security for sensitive data, including credentials used in APIKeys, Basic Auth, OAuth2, and JWT policies. All secrets are stored in a secure Vault and encrypted for added protection.
-
Runtime state sharing in an API gateway or Developer Portal
Administrators can use cluster-wide policies to configure uniform settings across all instances in the cluster, such as worker connections, hash table size, and keepalive settings, to optimize performance. Furthermore, using the Cluster Zone Sync policy, the cluster can be configured to share the runtime state and sync data across all instances, allowing for cluster-wide rate limits and sticky sessions.
-
Performance improvements for the web interface
A number of improvements have been made to how the web interface queries the backend services when fetching data.
-
Add a Health Check policy to your gRPC proxy to ensure optimal performance
The gRPC proxy can be enabled with a Health Check policy, allowing it to check the health status of backend gRPC services and route requests accordingly.
-
API Connectivity Manager will not generate new certificates if any have already been specified in the TLS policy; instead, ACM will reference the existing certificates. In this way, wildcard certificates may be employed.
Security Updates
Important:
For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.
This release includes the following security updates:
-
Instance Manager vulnerability CVE-2023-1550
NGINX Agent inserts sensitive information into a log file (CVE-2023-1550). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.
NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.
This issue has been classified as CWE-532: Insertion of Sensitive Information into Log File.
-
Mitigation:
- Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the Configuring the NGINX Agent section of NGINX Management Suite documentation. If trace-level logging is required, ensure only trusted users have access to the log files.
-
Fixed in:
- NGINX Agent 2.23.3
- Instance Manager 2.9.0
For more information, refer to the MyF5 article K000133135.
-
Changes in Default Behavior
This release has the following changes in default behavior:
-
ACL IP Policy denies IP addresses by default
Updates the ACL IP policy to deny IP addresses by default instead of allowing them by default.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Configurations aren’t pushed to newly onboarded instances if another instance is offline (40035)
- The Proxy Cluster API isn’t ready to be used (40097)
Known Issues
You can find information about known issues in the Known Issues topic.
1.4.1
February 02, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.1.0 - 1.4.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Cluster and Environment deletion issues when Portal Docs are published (40163)
Known Issues
You can find information about known issues in the Known Issues topic.
1.4.0
January 23, 2023
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.1.0 - 1.3.1
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Allow or deny access to APIs for specified consumers
Control access to APIs to prevent unauthorized requests from designated consumers.
-
OAuth2 Introspection policy now supports token claim verification
API admins can configure an OAuth2 Introspection policy with token claim verification. If the value of an introspected token claim matches the values in the policy configuration, the request will be allowed to proceed to the backend. If not, the request will be denied, and
403 Forbidden
will be returned. -
Adds support for NGINX Plus R28
API Connectivity Manager 1.4.0 is compatible with NGINX Plus R28. For requirements related to NGINX Management Suite and API Connectivity Manager, please refer to the Technical Specifications guide.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- A JWT token present in a query parameter is not proxied to the backend for advanced routes (39328)
- OIDC policy cannot be applied alongside a proxy authentication policy (39604)
Known Issues
You can find information about known issues in the Known Issues topic.
1.3.1
December 16, 2022
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.0.0 - 1.3.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Developer Portal backend information is unintentionally updated when editing clusters within an environment (39409)
- The Inbound TLS policy breaks when upgrading from API Connectivity Manager 1.2.0 to 1.3.0. (39426)
- The web interface doesn’t pass the
enableSNI
property for the TLS backend policy (39445)
Known Issues
You can find information about known issues in the Known Issues topic.
1.3.0
December 12, 2022
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.0.0 - 1.2.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Configure access-controlled routing
API lifecycle management requires routing API traffic with fine-level control, which is something that token-based authentication schemes that leverage JWT claims do well. Permissions can be encoded as custom claims in the token. Then, once the API proxy validates the token (JWT), it can access all the fields in the token as variables. Decisions can be made based on matching the claims.
-
Applying Fine-Grained Access Control
API Owners can apply fine-grained access control and restrict access to their APIs based on specific claims in the token. The policy can be configured to enforce fine-grained control for specific routes or be fine-tuned to support particular methods per route.
-
Header-Based Routing
Routing decisions can be made based on headers in the incoming requests. API owners can configure rules and conditions that must be matched before routing requests.
See Configure Access Control Routing to learn how to restrict access to your application servers based on JWT claims or header values.
-
-
Use the web interface to publish and manage gRPC services
With API Connectivity Manager 1.2, we introduced support for publishing and managing gRPC services. Now, in this release, we extend that capability to the web interface.
You can secure gRPC services with the following policies:
-
gRPC environment policies
- Error Response Format
- Log Format
- Proxy Response Headers
- Request Body Size Limit
- Request Correlation ID
- TLS Backend
- TLS Inbound
-
gRPC proxy policies:
- ACL IP Restriction
- APIKey Authentication
- Basic Authentication
- GRPC Backend Config
- JSON Web Token Assertion
- OAuth2 Introspection
- Proxy Request Headers
- Rate Limit
-
-
Secure communication between API Connectivity Manager and Developer Portal with mTLS
API Connectivity Manager communicates with the Developer Portal host to publish API docs and create API credentials. Now, PlatformOps can secure this communication channel by enabling mTLS between the hosts.
Previously, mTLS required a TLS backend policy on the internal portal proxy cluster. API Connectivity Manager 1.3 removes that restriction. The TLS inbound policy on the internal portal allows providing a client certificate for API Connectivity Manager when mTLS is enabled. API Connectivity Manager presents this client certificate when connecting to the Developer Portal, identifying itself as a trusted client.
-
-
Improved policy layout
The Policy user interface has been improved with highlights for the different policy sections.
-
NGINX Management Suite config changes are preserved during upgrade
Upgrades no longer overwrite customized configurations unless instructed to by the user.
-
Support for chained certificates
Infrastructure administrators can now upload public certificates in PEM format, along with an optional list of intermediate certificates for validating the public certificate.
-
Support for SNI requirements from hosted services
API owners can now use the OAuth2 policy with hosted Identity Provider services that enforce Server Name Indication (SNI).
-
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- No validation when conflicting policies are added (34531)
- Installing NGINX Agent on Ubuntu 22.04 LTS fails with
404 Not Found
error (35339) - New users are unable to see pages even though they have been given access. (36607)
- Portals secured with TLS policy require additional environment configuration prior to publishing API docs (38028)
- The user interface is erroneously including irrelevant information on the TLS inbound policy workflow (38046)
Known Issues
You can find information about known issues in the Known Issues topic.
1.2.0
October 18, 2022
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.0.0 - 1.1.1
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Restrict access to APIs based on IP address
Using the ACL-IP policy, API owners can now restrict access to APIs based on IP addresses. APIs can be protected by quickly blocking rogue requests from certain IPs or allowing access to only known IPs.
-
Secure API access with OAuth2 tokens
API Owners can restrict access to their APIs with OAuth2 tokens by swapping an opaque token for claims or a JWT token to be proxied to the backend service. The policy can be configured to grant access to APIs after having the tokens introspected. In addition, the claims in the token can be extracted and forwarded to the backend service.
Tip:
Learn how to set up an OAuth2 Introspection policy with Keycloak as the authorization server. -
Enhanced API documentation on developer portal
The API documentation published to the Developer Portal now displays detailed security schema information for each API.
-
To improve the performance and efficiency of client-server interactions, HTTP/2 can be enabled on the API proxies. With HTTP/2 enabled, API Proxies will continue to maintain backward compatibility with older browsers.
-
Improved visualizations for resource credentials
API owners can now view the origin of resource credentials. The source field indicates where the credentials were created. For security reasons, the credentials created on the Developer Portal will be masked, but the API owners can view the origin of the resource credentials.
-
Express API payload size with unit of measure
The maximum allowed size for the client request body can now be configured in bytes, kilobytes(K) or megabytes(M).
The
maxRequestBodySizeLimit
attribute of the policy is deprecated and will be removed in API Connectivity Manager 1.3.0.Size
is the new attribute that supports bytes, megabytes(M), and kilobytes(K). The default setting is 1M. -
Database backup included in support packages
The Developer Portal support package now includes the option to back up the PostgreSQL database.
-
Publish and manage gRPC services - preview release
Important:
This is a preview feature for you to try out. You shouldn’t use preview features for production purposes.To handle gRPC traffic, you can now publish and manage gRPC proxies.
Publish gRPC proxies and route gRPC traffic to support the following use cases:
- Simple RPC (single request‑response)
- Response‑streaming RPC
- Request‑streaming RPC
- Bidirectional‑streaming RPC
- Route to all services in a gRPC service package
- Route to a single gRPC service
- Route to individual gRPC methods
- Route to multiple gRPC services
- Respond to errors with custom gRPC error response format policy
-
Out-of-the-box protection for Developer Portals
Developer Portals are now deployed with out-of-the-box protection against rapid requests/overuse and server fingerprinting:
- Protection against server fingerprinting
The proxy response header policy is now applied by default to a Developer Portal. The default policy disables server tokens from being returned in the proxy response.
- Protection against rapid requests and over-use
To protect the portal application, the default rate limit policy limits the number of requests a client can make in a time period. Platform admins can customize the policy to meet their SLAs.
-
Support for multi-host deployment pattern for Developer Portals
Developer Portals can support multiple deployment patterns. The portal backend API service can be scaled to multiple hosts and can be load-balanced using host IP addresses or internal DNS.
To support the deployment patterns,
configs -> proxyConfig -> backends
object has been introduced in the Portal Proxy runtime. The existingbackend
object in theproxyCluster
object of the Portal Proxy runtime is being deprecated and will not be available in the next major release version.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- Enums are not supported in Advanced Routing. (34854)
- Unable to delete an environment that is stuck in a Configuring state. (35546)
- Credentials endpoint is disabled by default (35630)
- Ratelimit policy cannot be applied with OAuth2 JWT Assertion policy. (36095)
- Using labels to specify the backend is partially available (36317)
- To see updates to the Listener’s table, forced refresh of the cluster details page is required. (36540)
Known Issues
You can find information about known issues in the Known Issues topic.
1.1.1
August 31, 2022
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.0.0 - 1.1.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Stability and performance improvements
This release includes stability and performance improvements.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- OIDC policy doesn’t work with Auth0 Identity Providers (36058)
- Traffic is not secured between the API Proxy and backend servers (36714)
- Advanced routing ignores the Context Root setting for backend proxies (36775)
Known Issues
You can find information about known issues in the Known Issues topic.
1.1.0
August 18, 2022
Upgrade Paths
API Connectivity Manager supports upgrades from these previous versions:
- 1.0.0
If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
Including more than one proxy cluster with the same hostname in an environment replicates configuration across all clusters and assists with blue-green deployments. With advanced cluster management, you can use a load balancer in front of the clusters to slowly move to the newer version of the API gateway. For example, one cluster may belong to NGINX Plus version R26 and another to R27. See the Technical Specifications.
-
Advanced Routing feature is available now
Advanced routing feature is available now. You can use it to publish an API Proxy and route specific URIs/endpoints precisely to a backend service. Advanced routing with OAS Specification allows you to import a specification file, parse all the URIs/endpoints in the file and publish API proxy by routing each URI/endpoint precisely to a backend service. To use the advanced routing feature without an OAS specification file, add the URI/endpoints while publishing the API proxy. See the Advanced Configurations section.
-
SQLite is supported for Developer Portal
SQLite is now supported as a database for Developer Portal installations.
-
Support for NGINX Plus Release 27 (R27)
This release supports NGINX Plus Release 27 (R27) version for Data Plane instances. See the Technical Specifications.
Resolved Issues
This release fixes the following issues. Select an issue’s ID link to view its details.
- JWT Assertion policy accepts an empty string value for tokenName property (35419)
- Environment is in a premature success state even though all proxy clusters may not be onboarded (35430)
- Cannot add, remove, or edit proxy clusters from an environment that has a published API proxy (35463)
- Features in the web interface are not displayed after uploading license (35525)
- DEVPORTAL_OPTS in /etc/{default,sysconfig}/nginx-devportal does not work if value has multiple words (36040)
Known Issues
You can find information about known issues in the Known Issues topic.
1.0.0
July 19, 2022
Dependencies with Instance Manager
API Connectivity Manager depends on the platform capabilities of Instance Manager. The following table lists the minimum versions of Instance Manager required for API Connectivity Manager:
API Connectivity Manager | Instance Manager Dependency |
---|---|
1.9.0 - 1.9.3 | 2.13.0 and later |
1.8.0 | 2.12.0 and later |
1.6.0 - 1.7.0 | 2.10.0 and later |
1.5.0 | 2.9.0 and later |
1.4.0 - 1.4.1 | 2.7.0 and later |
1.3.0 - 1.3.1 | 2.6.0 and later |
1.1.0 - 1.2.0 | 2.4.0 and later |
1.0.0 | 2.3.0 and later |
To ensure API Connectivity Manager’s new features work correctly, you may need to install or upgrade Instance Manager to the minimum version specified. If Instance Manager is not installed, API Connectivity Manager will install the latest version. If the installed version is below the minimum required version, API Connectivity Manager will upgrade Instance Manager to the latest version. Otherwise, API Connectivity Manager will leave Instance Manager unchanged.
What’s New
This release includes the following updates:
-
API Connectivity Manager is now available
- Create and manage isolated workspaces for business units, development teams, etc., so each team can develop and deploy at its own pace without affecting other teams.
- Create and manage API infrastructure in isolated workspaces.
- Create and manage production and non-production environments within team workspaces and control who can access APIs at various lifecycle stages. For example, keep APIs under development private and publish production-ready APIs for public access.
- Enforce uniform security policies across all workspaces by applying global policies.
- Create Developer Portals that align with your brand, with custom color themes, logos, and favicons.
- On-board your APIs, publish to an API gateway, and publish your API documentation to the Developer Portal.
- Let teams apply policies to their API proxies to provide custom quality of service for individual applications.
- On-board API documentation by uploading an OpenAPI spec.
- Publish your API docs to a Developer Portal without giving the public access to your API.
- Monitor system and traffic metrics at the instance level.
- Self-service credential issuance for API Keys and Basic Authentication.
- Test API calls to your system using the “Try it out” feature in the Developer Portal.
Known Issues
You can find information about known issues in the Known Issues topic.