Apigee Extension Processor v1.0: CLB Policy Decision Point

V1.0 Apigee Extension Processor

This powerful new capability increases Apigee's reach and versatility and makes managing and protecting more backend services and modern application architectures easier than ever.

Modern deployers may add Apigee rules to their scalable containerised apps using the Extension Processor's seamless Cloud Run interface.

Additionally, the Extension Processor creates powerful new connections. With gRPC bidirectional streaming, complicated real-time interactions are easy, enabling low-latency, engaging apps. For event-driven systems, the Extension Processor controls and protects Server-Sent Events (SSE), enabling data streaming to clients.

Benefits extend beyond communication standards and application implementation. When used with Google Token Injection rules, the Apigee Extension Processor simplifies safe Google Cloud infrastructure access. Apigee's consistent security architecture lets you connect to and manage Bigtable and Vertex AI for machine learning workloads.

Finally, by connecting to Google's Cloud Load Balancing's advanced traffic management features, the Extension Processor offers unequalled flexibility in routing and controlling various traffic flows. Even complex API landscapes may be managed with this powerful combine.

This blog demonstrates a powerful technique to manage gRPC streaming in Apigee, a major issue in high-performance and real-time systems. gRPC is essential to microservices, however organisations employing Google Cloud's Apigee as an inline proxy (traditional mode) face issues owing to its streaming nature.

Nous will examine how Apigee's data plane may regulate gRPC streaming traffic from the ALB to the Extension Processor. A service extension, also known as a traffic extension, allows efficient administration and routing without passing the gRPC stream through the Apigee gateway.

Read on to learn about this solution's major features, its benefits, and a Cloud Run backend use case.

Overview of Apigee Extension Processor

Cloud Load Balancing may send callouts to Apigee for API administration via the Apigee extender Processor, a powerful traffic extender. Apigee can apply API management policies to requests before the ALB forwards them to user-managed backend services, extending its robust API management capabilities to Cloud Load Balancing workloads.

Infrastructure, Dataflow

Apigee Extension Processor requirements

Apigee Extension Processor setup requires several components. Service Extensions, ALBs, and Apigee instances with Extension Processors are included.

The numerical steps below match the flow diagram's numbered arrows to demonstrate order:

The ALB receives client requests.

The Policy Enforcement Point (PEP) ALB processes traffic. This procedure involves calls to Apigee via the Service Extension (traffic extension).

After receiving the callout, the Apigee Extension Processor, which acts as the Policy Decision Point (PDP), applies API management policies and returns the request back to the ALB.

After processing, the ALB forwards the request to the backend.

The ALB gets the backend service-started response. Before responding to the client, the ALB may utilise the Service Extension to contact Apigee again to enforce policies.

Making gRPC streaming pass-through possible

Apigee, an inline proxy, does not support streaming gRPC, even though many modern apps do. Apigee Extension Processor is handy in this circumstance since it allows the ALB to process streaming gRPC communication and act as the PEP and the Apigee runtime as the PDP.

Important components for Apigee's gRPC streaming pass-through

Using the Apigee Extension Processor for gRPC streaming pass-through requires the following components. Get started with the Apigee Extension Processor has detailed setup instructions.

gRPC streaming backend service: A bidirectional, server, or client streaming service.

The Application Load Balancer (ALB) routes traffic and calls to the Apigee Service Extension for client requests.

One Apigee instance with the Extension Processor enabled: A targetless API proxy is used by an Apigee instance and environment with Extension Processor to process Service Extension communication using ext-proc.

In order to link the ALB and Apigee runtime, a traffic extension (ideally Private Service link (PSC)) is configured.

When configured properly, client to ALB, ALB to Apigee, and ALB to backend may interact.

Apigee secures and manages cloud gRPC streaming services

Imagine a customer creating a high-performance backend service to deliver real-time application logs using gRPC. For scalability and administrative ease, their primary Google Cloud project hosts this backend application on Google Cloud Run. The customer wants a secure API gateway to offer this gRPC streaming service to its clients. They choose Apigee for its API administration capabilities, including authentication, authorisation, rate restriction, and other regulations.

Challenge

Apigee's inline proxy mode doesn't allow gRPC streaming. Typical Apigee installations cannot directly expose the Cloud Run gRPC service for client, server, or bi-di streaming.

Solution

The Apigee Extension Processor bridges gRPC streaming traffic to a Cloud Run backend application in the same Google Cloud project.

A concentrated flow:

Client start

Client applications initiate gRPC streaming requests.

The entry point ALB's public IP address or DNS name is the target of this request.

ALB and Service Extension callout

The ALB receives gRPC streaming requests.

A serverless Network Endpoint Group connects the ALB's backend service to Cloud Run.

The ALB also features a Service Extension (Traffic extension) with an Apigee runtime backend.

The ALB calls this Service Extension for relevant traffic.

Processing Apigee proxy

Service Extensions redirect gRPC requests to Apigee API proxies.

Apigee X proxy implements API management controls. This includes rate limiting, authorisation, and authentication.

No Target Endpoint is defined on the Apigee proxy in this situation.ALB finalises route.

Return to ALB

Since the Apigee proxy has no target, the Service Extension answer returns control to the ALB after policy processing.

Backend routing in Cloud Run by Load Balancer

The ALB maps the gRPC streaming request to the serverless NEG where the Cloud Run service is situated, per its backend service parameters.

ALB manages Cloud Run instance routing.

Managing responses

Request and response flow are similar. The backend starts the ALB to process the response. The ALB may call Apigee for policy enforcement before responding to the client via the Service Extension (traffic extension).

This simplified use case explains how to apply API management policies to gRPC streaming traffic to a Cloud Run application in the same Google Cloud project using the Apigee Extension Processor. The ALB largely routes to Cloud Run using its NEG setup.

Advantages of Apigee Extension Processor for gRPC Streaming

Using the Apigee Extension Processor to backend manage gRPC streaming services brings Apigee's core features to this new platform application, with several benefits:

Extended Apigee's reach

This technique extends Apigee's strong API management tools to gRPC streaming, which the core proxy does not handle natively.

Utilising current investments

Businesses using Apigee for RESTful APIs may now control their gRPC streaming services from Apigee. Even while it requires the Extension Processor, it uses well-known API management techniques and avoids the need for extra tools.

Centralised policymaking

Apigee centralises API management policy creation and implementation. Integrating gRPC streaming via the Extension Processor gives all API endpoints similar governance and security.

Moneymaking potential

Apigee's monetisation features may be utilised for gRPC streaming services. Rate plans in Apigee-customized API solutions let you generate money when gRPC streaming APIs are accessed.

Better visibility and traceability

Despite limited gRPC protocol-level analytics in a pass-through situation, Apigee provides relevant data on streaming service traffic, including connection attempts, error rates, and use trends. Troubleshooting and monitoring require this observability.

Apigee's distributed tracing solutions may help you trace requests in distributed systems utilising gRPC streaming services with end-to-end visibility across apps, services, and databases.

Business intelligence

Apigee API Analytics collects the massive amount of data going through your load balancer and provides UI visualisation or offline data analysis. This data helps businesses make smart decisions, identify performance bottlenecks, and understand usage trends.

These benefits show that the Apigee Extension Processor can offer essential API management functionalities to Google Cloud's gRPC streaming services.

Looking Ahead

Apigee Extension Processor enhances Apigee's functionality. Apigee's policy enforcement will eventually be available on all gateways. The Apigee runtime will serve as the Policy Decision Point (PDP) and the ext-proc protocol will allow many Envoy-based load balancers and gateways to act as Policy Enforcement Points. Due to this innovation, organisations will be better able to manage and protect their digital assets in more varied situations.

We’re Hiring!

by Jared Dunn

That’s right, dear readers: Because we now have funding from Mr. Hanneman, we in the Pied Piper family hope to soon have the stork bring us several well-qualified, bouncing baby programmers! While we will be hiring front and back end web app developers and an implementation engineer at some point, for now we are looking to hire for the four below roles.

Resumes will not be accepted from any of the email/IP addresses I have compiled which have left certain comments on my blog. These are comments that have threatened my person or encouraged me to perform acts not possible under the laws of physics, although I suspect a percentage of them may originate with PP’s Gilfoyle or Dinesh, in which case they’re all in good fun!

One note: In addition to these very modest requirements for each position, we also require that all applicants be non-smoking, dog-friendly, fat-positive and respectful of the diversity in gender, race, religion, ableness, sexuality, age and weight which we hope to soon create. Also, tolerance of extreme rudeness, Satanism and marijuana use is recommended.

CORE COMPRESSION LIBRARY ENGINEER (C++ PROGRAMMER)

Requirements:

Deep expertise with C++/Java/C# development developing data compression algorithms.

5+ years with C++.

Knowledge of downstream video platform components, including encoding, muxing, CDNs, signal processing, workflows and broadcast standards.

3+ years experience with client-server and peer-to-peer architectures, network security, basic network protocols (e.g. TCP/IP and UDP), object oriented design.

Understanding of memory management, multiple processor use, runtime optimization, concurrency and synchronization.

Experience in building and running large scale distributed online services.

Experience with large distributed database design.

Proven track record of design/architecture of a large components.

Background in mathematics, including linear algebra and numerical methods.

BSc or MSc in Computer Science or related degree.

API DEVELOPER (JAVA)

Requirements:

5+ years of development experience in web-related technologies such as Web Services, REST, SOAP, WCF, ASP.Net, C#, JavaScript, AJAX, JSON and XML.

Experience defining and developing web service APIs.

Experience in integrating with web-based products.

Experiences with the entire software development lifecycle, including version control, build process, testing and code release.

Working experience with an industry standard API Gateway technology such as Layer 7, APIGEE or Intel MASHREY is a plus.

Experience with Agile and Test-driven development methodologies.

BSc or MSc in Computer Science or related degree.

UNIT TESTER

Requirements:

5+ years of testing & QA automation experience.

Experience in an Agile development environment.

Experience in Unit and UI testing.

Development experience in Java, JavaScript and web services.

Experience creating and reviewing test cases.

Experience in large-scale, real time video (including streaming) applications.

Testing multiple browser-OS environments.

Creating test cases.

Integration.

BSc or MSc in Computer Science or related degree.

VIDEO HACKER (ASSEMBLY)

Requirements:

At least 5 years of hands-on experience in C++ application development on Linux OS and extensive experience in Java and Javascript.

Knowledge of Linux C++ development tools and environments: make, gcc, gdb, gprof,, subversion, git, shell scripting, Perl, Python or Ruby.

Knowledge of virtualization and building distributed video processing systems.

Socket and network programming.

Multithreading and inter process communication.

Object oriented design and software development patterns.

Experience with video container formats: .mov / .mp4, .mkv / .webm, mpeg-2 transport stream, .flv.

Experience with video compression codecs: AVC, HEVC, VP6, VP8, VP9, ProRes, DNXHD, AAC, Vorbis, Opus.

Experience with video delivery formats for streaming and adaptive bitrate delivery: HLS, DASH, RTMP, RTSP, MPEG-2 TS over UDP, Zixi, FASP, WebRTC, and progressive download HTTP.

Experience with mezzanine file asset ingestion via SFTP and Aspera.

Network multicast, protocols, routing and topology.

Experience with video processing and broadcast standards. Deinterlacing, scaling, aspect ratios, telecine, etc.

Experience building end to end video workflows with a true glass to glass scope. Capture, process, encode, deliver, decode, and display.

Knowledge of workflows for stitching multiple cameras into equirectangular spherical videos. [x]

Online Platforms: an Advantageous Program Online platforms play a progressively vital title role in social and economic life. They are also an essential part of flourishing an internet-enabled economy and society. And just like language, online platforms serve as a bridge that associates two parties to one another. Moreover, it is an online marketplace that is highly operational for various intents specifically on the field of businesses. The European Commission prove that online platforms are vital on both economic and personal aspect as they conducted a vast study on the role of online platforms, as part of the Digital Market Strategy. The assessment was founded with an extensive civic consultation, and a series of workshops and studies. The outcomes of the assessment are further set out in a staff working document on online platforms that also strengthens the platforms communication which formulates the commission’s program method to online platforms and classifies areas where action or further assessment may be essential. The European Commission concludes that the assessment of online platforms portray a key role in assisting advancement and growth in the Digital Single Market. Basically, there are three kinds of online platforms that a netizen can meet on the internet according to PC Magazine Encyclopaedia. First is the Application Program Interface or the API access which is the procedure of ensuring that calls with reliable logins are capable to access the APIs. API products are also a good technique to regulate access to a specific package of resources. Apigee, the leading provider of API technology and services for enterprises and developers, permits a netizen to allow or deny access to their APIs, by specific IP (Internet Protocol) address. Second is the “Plug-In API,” which Robert Brown, an Engineer, a team leader and a Project Manager describes as a plugin which is an element that permits adjustment of what a system can do usually without constraining a redesign or a compilation of the system. Numerous systems have a plugin API which delimits how plugins should cooperate with the rest of the system. Chrome Extensions is an example of a plugin API, which explains how to interact and change the functionality of chrome without requiring to recompile or reconstruct any of the Chrome code. And the last one is, the “Runtime Environment.” TechTerms.com says, “As soon as a software program is executed, it is in a run time state. In this status, the program can send instructions to the computer’s processor and access the computer’s memory (RAM) and other system resources. All in all, platforms play an essential role in bringing people and businesses together. They aid in expediting social and commercial trades of goods, services and information which or else would not happen. The European Commission have tested some of the benefits to consumers and entrepreneurs and results said that the benefits are experienced widely across both consumers and entrepreneurs.

6 Hot Internet of Things (IoT) Security Technologies

Web of Things (WoT) security breaks have been overwhelming the features of late. WikiLeaks' trove of CIA reports uncovered that web associated TVs can be utilized to covertly record discussions. Trump's guide Kellyanne Conway trusts that microwave broilers can keep an eye on you—perhaps she was alluding to microwave cameras which surely can be utilized for observation. What's more, don't betray yourself that you are invulnerable to IoT assaults, with 96% of security experts reacting to another study expecting an expansion in IoT ruptures this year.

Regardless of the possibility that you by and by don't endure the outcomes of the below average security of the IoT, your associated contraptions may well be unwittingly collaborating with lawbreakers. Last October, Internet specialist co-op Dyn went under an assault that disturbed access to prominent sites. The cybercriminals who started the assault figured out how to enlist countless associated gadgets (generally DVRs and cameras) to fill in as their partners. Thus, cybersecurity master Bruce Schneier has called for government direction of the IoT, presuming that both IoT producers and their clients couldn't care less about the security of the 8.4 billion web associated gadgets in current utilize.

Regardless of whether in view of government control or great out-dated self-premium, we can expect expanded interest in IoT security advancements. In its as of late discharged TechRadar report for security and hazard experts, Forrester Research talks about the standpoint for the 13 most pertinent and imperative IoT security advances, cautioning that "there is no single, enchantment security slug that can undoubtedly settle all IoT security issues."

In view of Forrester's examination, here's my rundown of the 6 most sweltering advancements for IoT security:

IoT arrange security: Protecting and securing the system associating IoT gadgets to back-end frameworks on the web. IoT arrange security is more testing than customary system security in light of the fact that there is a more extensive scope of correspondence conventions, norms, and gadget abilities, all of which posture significant issues and expanded unpredictability. Key capacities incorporate conventional endpoint security components, for example, antivirus and antimalware and also different elements, for example, firewalls and interruption avoidance and identification frameworks. Test merchants: Bayshore Networks, Cisco, Darktrace, and Senrio.

IoT confirmation: Providing the capacity for clients to validate an IoT gadget, including dealing with numerous clients of a solitary gadget, (for example, an associated auto), going from straightforward static watchword/pins to more strong verification components, for example, two-figure verification, computerized declarations and biometrics. Dissimilar to most undertaking systems where the verification forms include an individual entering a qualification, numerous IoT confirmation situations, (for example, implanted sensors) are machine-to-machine based with no human mediation. Test sellers: Baimos Technologies, Covisint, Device Authority, Entrust Datacard, and Gemalto.

IoT encryption: Encrypting information very still and in travel between IoT edge gadgets and back-end frameworks utilizing standard cryptographic calculations, keeping up information respectability and avoiding information sniffing by programmers. The extensive variety of IoT gadgets and equipment profiles restricts the capacity to have standard encryption procedures and conventions. Besides, all IoT encryption must be joined by equal full encryption key lifecycle administration forms, since poor key administration will diminish general security. Test sellers: Cisco, Entrust Datacard, Gemalto, HPE, Lynx Software Technologies, and Symantec.

IoT PKI: Providing complete X.509 computerized certificate and cryptographic key and life-cycle abilities, including open/private key era, circulation, administration, and denial. The equipment specs for some IoT gadgets may constrain or keep their capacity to use PKI. Advanced certificates can be safely stacked onto IoT gadgets at the season of produce and afterward enacted/empowered by outsider PKI programming suites; the certificates could likewise be introduced post-make. Test merchants: DigiCert, Entrust Datacard, Gemalto, HPE, Symantec, and WISeKey.

IoT security examination: Collecting, conglomerating, checking, and normalizing information from IoT gadgets and giving noteworthy revealing and alarming on specific exercises or when exercises fall outside set up strategies. These arrangements are beginning to include refined machine learning, artificial insight, and huge information methods to give more prescient demonstrating and irregularity discovery (and lessen the quantity of false positives), yet these capacities are as yet rising. IoT security examination will progressively be required to identify IoT-specific assaults and interruptions that are not identified by conventional system security arrangements, for example, firewalls. Test merchants: Cisco, Indegy, Kaspersky Lab, SAP, and Senrio. (See likewise my post with respect to Aperio Systems)

IoT API security: Providing the capacity to verify and approve information development between IoT gadgets, back-end frameworks, and applications utilizing recorded REST-based APIs. Programming interface security will be fundamental for ensuring the uprightness of information traveling between edge gadgets and back-end frameworks to guarantee that lone approved gadgets, engineers, and applications are speaking with APIs and also recognizing potential dangers and assaults against specific APIs. Test sellers: Akana, Apigee/Google, Axway, CA Technologies, Mashery/TIBCO, MuleSoft, and WS02.

Take note of that Forrester did not recognize any advancements in the "creation" arrange. It says: "The proceeded with advancement of IoT-particular security dangers will without a doubt drive development in this space, so expect all the more new IoT-particular security advances to show up in the creation stage sooner rather than later, huge numbers of which may adjust around vertical-and industry-particular utilize cases, for example, associated restorative gadgets or mechanical applications."

Forrester records the accompanying difficulties to accomplishing a safe IoT: Many IoT gadgets need essential security prerequisites; There is a plenty of IoT models and conventions, which makes security blind sides; The scale and extent of IoT arrangements prevent perceivability into security occurrences; There is an absence of lucidity of obligation with respect to protection and security.

"The Dyn assault was likely quite recently the begin," says Forrester, "so [we] can expect additionally assaults that use uncertain IoT gadgets in the coming months and years." Indeed, Gartner set security at the highest priority on its rundown of main 10 IoT advancements for 2017 and 2018, saying "IoT security will be confused by the way that numerous "things" utilize basic processors and working frameworks that may not bolster refined security approaches."

It's entangled when straightforward things associate with turn into an immeasurable system that scopes all over the place. Forrester mentions the accompanying objective facts and suggestions: IoT security requires a conclusion to-end approach; Encryption is an outright should; IoT security situations put a premium on adaptability (managing the sheer number of gadgets); Security investigation will assume a critical part in IoT security arrangements; IoT gauges are vital impetuses yet at the same time require time to develop.

Closes Forrester: "It's basic for now's computerized organizations to adjust the business benefits that IoT-associated items can convey with the acknowledgment that these same gadgets have turned into an appealing assault plane for programmers and cybercriminals trying to bring about interruption and exfiltrate delicate information."