Overview: Anypoint Flex Gateway is an Envoy-based, ultrafast, lightweight API gateway designed to manage and secure APIs running anywhere. It is built to seamlessly integrate with DevOps and CI/CD workflows.
Flex Gateway delivers the performance required for the most demanding applications and microservices while providing enterprise security and manageability across any environment.
Flex Gateway Architecture
Two components utilised as part of the Flex Gateway are:
- Control Plane: Hosted by MuleSoft Cloud.
- Runtime Plane: This could be MuleSoft hosted or on any cloud where the Flex Gateway is installed.
Built with security in mind, Flex Gateway secures communications between the runtime and the control plane through mTLS and HTTPs.
Fluent Bit implementation enables log output to local files or to aggregators such as New Relic, Sumo Logic, and Splunk.
A runtime unit is called a replica. While a single runtime can support multiple backend APIs for high availability, it is best to deploy Flex Gateway as a cluster with multiple replicas running in parallel.
Flex also supports configuring an external REDIS cache for more distribution caching and rate limiting.
- Local Mode: This is a standalone type of installation where it will mostly disconnect from the control plane. It connects to the control plane for registration and logging usage metrics. All the configurations will be maintained locally in declarative configuration files (registration.yaml files).
- Connected Mode: In Connected Mode, the Gateway is fully connected to the MuleSoft control plane. This connection allows for centralised management, observability, and security. Anypoint API Manager enables full API lifecycle management and policy configuration.
Flex Gateway Deployment Models: Choosing the right one for your solution
Flex Gateway supports multiple deployment models, which apply to both Connected Mode and Local Mode:
- Standalone deployment
- Ingress deployment
- Egress deployment
- Sidecar deployment
Based on the business requirement, customer infrastructure and security in mind, we can choose the right deployment model for the Flex Gateway.
The in-detail explanation of each deployment model was explained on the MuleSoft documentation page.
Flex Gateway vs Mule Gateway
|Secure all APIs, Mule and non-Mule, running anywhere using an Envoy-based API gateway.
|It will only secure Mule APIs.
|Several deployment patterns and modes are available.
|Secure a basic Mule API endpoint or make a dedicated proxy a library that is incorporated in a Mule instance. Also accessible on Cloud Hub as a Mule proxy application.
|Both Connected Mode and Local Mode are available.
|Only in Connected Mode.
|High availability and performance.
|High availability and performance.
Installing Flex Gateway connected mode on Docker on AWS cloud (EC2)
For this blog, I have used my AWS and MuleSoft trial accounts.
Connected APP creation on Anypoint Platform
1. Log in to the Anypoint platform and click on the Access Management section from the left side.
2. On the Access Management page, click on the Connected APP from the left side.
a. This will be visible if you have the right permissions on the Anypoint Platform. If you’re not able to see this, please reach out to the admin of the platform.
b. Please click on the Create App button and select the client credentials option, as below.
c. Enable the below Scopes on the environment where Flex Gateway is available (in the below screenshot I just used the Sandbox).
d. Click on the Save button and copy the client ID and Client secret value of the connected APP.
e. With the above steps, Connected APP creation is completed.
Configuring the EC2 on AWS
1. Login into the AWS console with your registered account.
2. Create an IAM User as below by following the steps highlighted in the screenshots.
3. Create a User group with Admin Permissions (if POC provided the admin access, it should create one based on org security regulations).
4. Attach the newly created user group to the IAM user and complete the next steps to create the user.
5. Download the CSV file that appears on the user creation screen and contains the URL and login information.
6. Log in to the AWS console with the new IAM user details.
7. Please select the AWS region where you want to install the Flex Gateway.
8. Search for the EC2 instance on the search bar and select the Lunch Instance option, this will be brought to the next page to fill in some information, as below.
a. Provide the name of the EC2 machine
b. Select the Amazon Linux as OS (will install Docker on EC2 Linux)
c. Select the Amazon machine image which is applicable (for POC purposes, select the free tier eligible one).
d. Select the instance type like t2. micro/small/medium based on the volume of the requests and API to be published (for POC purposes, select the micro type). Refer to the MuleSoft sizing guide to find the right sizing.
e. Create a new key pair (RSA type) for SSH in the EC2 machine.
f. Keep the default VPC or use any existing VPC as per infrastructure requirements.
g. Create a security group as below, or use an existing security group which allows internet traffic on the required ports.
- Configure storage as per requirement
h. Click on Launch Instance. It will take some time to spin up the EC2 machine, displayed below.
i. Click on the instance ID and copy the Public IP and DNS address of the EC2 Machine.
j. Verify the security group firewall inbound rules. This is an important step as traffic depends on this.
Installing Docker on AWS EC2
1. SSH into the EC2 machine by using the keypair used while creating EC2. You can use the SSH command below to login to the EC2 machine.
a. To complete SSH, install an SSH client or use Windows PowerShell if supported.
2. Successful SSH shown below.
3. Install the Docker by using the below command.
4. Successful Docker installation shown below.
5. Start the Docker by using the command below.
6. Check the Docker status below using the command. ‘Running’ status means the Docker is active.
Installing Flex Gateway on Docker
1. Download the Flex Gateway Docker image using the command below, if required, use the SUDO before your command.
2. Verify the download success by using the below command.
3. Successful download shows the results below.
4. Create a folder and register the Flex Gateway. Before registering the Flex Gateway to the Anypoint platform, create a Docker query, as below.
5. Below indicates the successful registration.
6. On Anypoint Platform Runtime Manager, you can observe the same instance registered but in disconnected mode.
7. Use the ‘ls’ command where the previous step was executed. You will see a file called ‘registration.yaml’, which contains the creds and registration details of the Flex Gateway. In local mode, this file plays a very key role.
8. Run the Flex Gateway by using the below Docker command.
For POC, I made 3 port routings to check the HTTP and HTTP connectivity.
9. Once the run command executes successfully, Flex Gateway will show as connected mode.
10. The below lines will give a kind of confirmation that Flex is running successfully.
11. With the above process, Flex GW was installed on Docker and connected to the Anypoint platform successfully.
Registering the Mule API to Flex Gateway (Mule APP as backend)
Pre-requisite: Create a RAML and publish it to exchange.
1. Go to the API manager and configure the API from the exchange.
a. Add new API
b. Select the Flex Gateway
c. Choose the Flex Gateway where you will deploy the API. Flex Gateway should be in connected mode, and then click on the Next button.
d. Search the API from the exchange, select it from the results, and click on the Next button
e. Add the downstream details as below (For POC it was HTTP). Make sure the base path and port are mentioned correctly.
f. Add the Upstream details. In this POC upstream, the URL is the MuleSoft application URL which was hosted on port 8081. Under the routing rules, mention the path to route requests and which resource.
g. Click Next and review details, then click on the Save & Deploy button.
h. It will take a few moments for the API to become active, when it’s active, it will show as below.
Testing the API using the Flex Gateway
Key points to remember here for forming the URL which can be provided to consumer applications:
1. As the above diagram shows, the consumer URL will be the URL where the Flex Gateway was installed, which routes the requests to the back end. In this case, its the MuleSoft application.
a. Downstream: Flex Gateway details.
b. Upstream: Back end system details.
2. Invoking the Mule Service using the post man as below using the Flex Gateway URL.
a. Here, the hostname will be EC2 public DNS (refer to section 12 point 10), and the port will be the same Mule APP port.
3. The above proves that requests are routed through the Flex Gateway. The metrics can be seen in Anypoint monitoring component.
The above steps give the basic idea of how a Flex Gateway works and how it is hosted using the Docker.
Limitations with the Flex Gateway
- Flex Gateway does not support SOAP APIs. You will need to use the Mule Gateway.
- Only HTTP and REST are supported.
- There is a starting limit of 200 APIs per Flex Gateway instance.
- Flex Gateway Custom Policies need to be written in RUST, and we can’t simply use the Mule Gateway Custom Policies.
- Flex Gateway is a cloud-hosted service, which means that its operation depends on the availability and stability of the cloud infrastructure.
I hope the above blog helps you get started with Flex Gateway.
In the next blogs, I will cover:
- Securing the API
- Adding multiple replicas and external storage for the Flex Gateway
- Flex Gateway on local mode.