Configure Apigee Advanced API Security for multiple Apigee organizations and gateways

This page applies to Apigeeand Apigee hybrid.

This page explains how to configure and manage the Apigee Advanced API Security add-on for multiple Apigee organizations and gateways.

Before you begin

Before you can configure Apigee Advanced API Security for multiple Apigee organizations and gateways, ensure that you have completed the following:

• Provision API hub. For more information, see Provision API hub .
• For Apigee X and Apigee hybrid gateways, attach the Apigee runtime projects to API hub. Ensure to select the API assets to import into API hub. For information about attaching Apigee X and Apigee Hybrid runtime projects, see Attach a runtime project .
• For Apigee Edge Public Cloud gateways, create the Apigee Edge plugin instance in API hub. For more information, see Create plugin instances .
• Enable and configure API insights for the gateways (plugin instances) that you want to cover with Advanced API Security. For more information, see Configure API insights .
• Grant the required IAM roles and permissions to your principal account. For more information, see IAM roles and permissions .

Enable Advanced API Security for multiple Apigee organizations and gateways

To use Advanced API Security for multiple Apigee organizations and gateways, you must first enable this add-on for your API hub instance and then configure the runtime projects and environments that you want to be covered by Advanced API Security.

Console

To enable the Advanced API Security add-on for your API hub instance, do the following:

1. In the Google Cloud console, go to the API hub > Add-on management page.

   Go to Add-on management

2. Locate the Advanced API Security card and click Enable add-on .

   The Manage Apigee add-ons pane appears.

3. Configure the runtime projects and environments that you want to be covered by Advanced API Security:
   1. Click Add runtime project .
   2. Click the Select Apigee runtime project drop-down and select the Apigee runtime project that you want to add.
   3. Configure the Apigee environments for the selected runtime project. Do one of the following:
      • Enter the environment names that you want to cover from the selected Apigee runtime project. This gives you granular control over which runtime data is assessed, helping you to manage costs.
      • Select the Enable add on for all Apigee gateway environments in this runtime project checkbox to enable Advanced API Security for all the environments in the selected runtime project.
   4. Click Add .
   5. Optional: Repeat the previous steps to add additional runtime projects.
   6. Click Save .

   Advanced API Security is enabled for your API hub instance and the runtime projects and environments that you configured.

   

REST

To enable the Advanced API Security add-on for your API hub instance, use the projects.locations.apiHubAddons.enable API.

For more information, see Manage add-ons .

Manage runtime projects and environments for Advanced API Security

Console

To manage the configured runtime projects and environments for Advanced API Security, do the following:

1. In the Google Cloud console, go to the API hub > Add-on management page.

   Go to Add-on management

2. Locate the Advanced API Security card and click Manage add-on .

   The Manage Apigee add-ons pane appears.

3. To remove a runtime project or environment, do the following:
   1. Click remove_circle_outline Remove runtime project in the row of the runtime project or environment you want to remove.
   2. In the confirmation dialog, click Remove .
4. To add a runtime project or environment, click Add runtime project .
   1. In the Add runtime project dialog, complete the required steps, and then click Add .
5. Click Save to save your changes.

Limitations

• Advanced API Security doesn't support abuse detection , security reports , and security actions for multiple Apigee organizations and gateways.

  Support for these capabilities is limited to a single Apigee X/hybrid organization. See Advanced API Security enabled from your Apigee instance for more information.

• Advanced API Security currently has limited support for VPC Service Controls (VPC-SC). To avoid potential feature limitations, we recommend enabling this add-on for API hub instances associated with Apigee organizations that don't have VPC-SC enabled.
• Advanced API Security doesn't support custom plugins (gateways from third-party providers). It is currently supported only for Apigee X, hybrid, and Apigee Edge Public Cloud gateways.
• Apigee Edge Private Cloud gateways are not supported.

Considerations

• If you have not yet enabled the Advanced API Security add-on, the Risk assessment page displays an empty state with instructions to enable the add-on through the Add-on management page.
• You can only enable Advanced API Security with multi-gateway support for runtime projects that are attached to API hub.
• If you have an existing Apigee X/hybrid runtime project attached, but are unable to see any gateways or environments, then you may need to edit the project settings to import the necessary API assets into API hub. For more information, see Edit project association settings .
• API hub doesn't automatically add newly created environments to your configured runtime project after Advanced API Security is enabled. You must add these new environments manually. You can do this by either re-selecting the option to Enable the add-on for all environments in the runtime project or by adding each new environment individually.

What's next

• View security scores across all projects and gateways, see View security scores across all projects and gateways .
• View security scores for a given API across its deployments in gateways, see View security scores for APIs .