In today’s fast-paced digital world, companies are looking for ways to securely expose their APIs and microservices to the internet. MuleSoft Anypoint Flex Gateway is a powerful solution that solves this problem.
Let's walk through deploying the Anypoint Flex Gateway on Heroku in a few straightforward steps. You'll learn how to connect your private APIs and microservices on the Heroku platform through the Anypoint Flex Gateway and the Anypoint API Manager, without the hassle of managing infrastructure. Get ready to unlock the potential of this potent pairing and, in the future, integrate it with Salesforce.
Introduction
Salesforce's ecosystem provides a seamless, integrated platform for our customers. The most recent MuleSoft Anypoint Flex Gateway release is now compatible with Heroku, offering an improved security profile and reduced latency for APIs hosted on Heroku.
By deploying the Anypoint Flex Gateway inside the same Private Space as your Heroku apps, you create an environment where your Heroku apps with internal routing can be exposed to the public through the Flex Gateway. This adds an extra layer of security and control, only allowing traffic to flow through the Flex Gateway, which can be configured easily from the MuleSoft control plane and scaled with the simplicity of Heroku. The joint integration simplifies operations and scalability and accelerates your time to value for your Salesforce solutions.
What is Anypoint Flex Gateway?
MuleSoft Anypoint Flex Gateway is a lightweight, ultrafast API Gateway that simplifies the process of building, securing, and managing APIs in the cloud. It removes the burden of API protection, enabling organizations to focus on delivering exceptional digital experiences. Built on the Anypoint Platform, Flex Gateway provides comprehensive API management and governance capabilities for APIs exposed in the cloud.
Anypoint Flex Gateway offers robust security features, including authentication, authorization, and encryption, to safeguard sensitive data. It empowers you with granular traffic management, enabling control over API traffic flow and the enforcement of rate limiting policies to maintain service availability. Moreover, Flex Gateway works with API Manager, MuleSoft’s centralized cloud-based API control plane, to deliver valuable analytics and insights into API usage, facilitating data-driven decisions and the optimization of API strategies. Flex Gateway and API Manager are key parts of MuleSoft’s universal API Management capabilities to discover, build, govern, protect, manage and engage with any API.
In conclusion, MuleSoft Anypoint Flex Gateway is an essential resource for organizations seeking to seamlessly integrate and secure their APIs with Heroku and manage them effectively in a Heroku Private Space. Heroku’s fully managed service, combined with robust security, traffic management, and analytics capabilities, empowers businesses to confidently embrace the cloud and deliver exceptional API experiences to their users.
Setting up Flex Gateway on Heroku
To get started with MuleSoft Anypoint Flex Gateway on Heroku, you will need to:
- Create a Heroku account
- Create an Anypoint Platform account
- Install the Heroku CLI
- Install Docker to register the Flex Gateway
Upon completing these steps, you are now ready to begin the setup process.
The process is described as follows:
- Deploy an API in a Heroku Private Space
- Create an API specification in Anypoint Design Center
- Register the Flex Gateway in Runtime Manager
- Deploy the Flex Gateway to Heroku
- Connect the Private API to the Flex Gateway
Now let’s detail each step so you can learn how to implement this pattern for your enterprise applications.
Deploy an API in a Heroku Private Space
Note: To learn how to create a Heroku Private Space please refer to the documentation, for our example we already have a private space called flex-gateway-west.
Let's take one of our reference applications as our example, which exposes a REST API with OpenAPI support.
Before we deploy the app, we must ensure that it is created as an internal application within the private space.
You can deploy this internal application using the Deploy to Heroku button or the Heroku CLI.
When using the Heroku CLI make sure you set the --internal-routing flag:
heroku create employee-directory-api --space flex-gateway-west --internal-routing
Next, you will proceed to configure the application and any add-ons required. In our example, we need to provision a private database (heroku-postgresql:private-0) and set up an RSA public key for JWT authentication support, but these steps might differ for your application. Consult the reference application’s README for a more detailed guide.
Once you've deployed the app, grab the application URL from the settings page in your Heroku Dashboard. You'll need this for a later step.
Create an API specification in Anypoint Design Center
To link the API with the Flex Gateway, you'll need to create an API specification in Anypoint Platform using the Design Center and then publish it to Anypoint Exchange.
If your API running in Heroku Private Space has an API specification that uses the OpenAPI 3.0 standard, which is supported by Anypoint Platform, you can use it here. If you don’t, you can use Design Center to create one from scratch. To learn more, see the API Designer documentation.
The User Directory reference application offers both JSON and Yaml API specifications for your convenience. Access them in the openapi folder on GitHub.
In Design Center, let’s click on Create > Import from file, and select either the Yaml or JSON file, and then click on Import.
Once you've imported your file, check Design Center to see that your spec file is error-free. You can even use the mocking service to test the API and make sure everything looks good. If there are no problems and it's the right file, go ahead and click on Publish.
Add the finishing touches to your metadata, like API version and LifeCycle State, then click on Publish to Exchange.
Now, with your API specification in hand, let's move on to registering and deploying the Anypoint Flex Gateway to Heroku.
Register the Flex Gateway in Runtime Manager
Before you deploy to Heroku, you need to get the registration.yaml configuration file. To do that, go to the Runtime Manager > Flex Gateways and click Add Gateway. Then select Container > Docker and follow the instructions to set up your gateway locally using Docker. Just follow steps 1 and 2, and that will create the registration.yaml file you need.
Once the command has been executed, you'll see the registration.yaml file. This file is needed on the next step, along with the confirmation of the gateway listed in your Runtime Manager.
Deploy the Flex Gateway to Heroku
Now, let's get the Flex Gateway deployed to Heroku. You can find a reference application for the Heroku Docker Flex Gateway on GitHub. There, you have two options: use the Deploy to Heroku button for a quick and easy deployment, or follow the detailed Manual Deployment instructions in the README using the Heroku CLI. Just ensure you're setting up the Flex Gateway in the same Private Space as the internal API you deployed in earlier steps.
For our example, we will use the Heroku CLI, naming our Flex Gateway api-ingress-west and deploying to the flex-gateway-west private space.
git clone https://github.com/heroku-reference-apps/heroku-docker-flex-gateway/
cd heroku-docker-flex-gateway
heroku create api-ingress-west --space flex-gateway-west
heroku config:set FLEX_CONFIG="$(cat registration.yaml)" -a api-ingress-west
heroku config:set FLEX_DYNAMIC_PORT_ENABLE=true -a api-ingress-west
heroku config:set FLEX_DYNAMIC_PORT_ENVAR=PORT -a api-ingress-west
heroku config:set FLEX_DYNAMIC_PORT_VALUE=8081 -a api-ingress-west
heroku config:set FLEX_CONNECTION_IDLE_TIMEOUT_SECONDS=60 -a api-ingress-west
heroku config:set FLEX_STREAM_IDLE_TIMEOUT_SECONDS=300 -a api-ingress-west
heroku config:set FLEX_METRIC_ADDR=tcp://127.0.0.1:2000 -a api-ingress-west
heroku config:set FLEX_SERVICE_ENVOY_DRAIN_TIME=30 -a api-ingress-west
heroku config:set FLEX_SERVICE_ENVOY_CONCURRENCY=1 -a api-ingress-west
heroku stack:set container
git push heroku main
You’ll see your Heroku apps deployed to the Private Space, after a minute or so you should also see the Flex Gateway as connected in Runtime Manager.
Make sure to grab the api-ingress-west URL under settings like we did with the API, we will need this URL to test things out.
And that’s how you deploy the Flex Gateway to Heroku, now let’s connect our internal API and test it.
Connect the Private API to the Flex Gateway
Now, the final step is connecting the Private API with Flex Gateway, for this you will go to Anypoint API Manager and click on Add API.
Then, select the API from Exchange and click on Next.
Let's leave the API Downstream default options as they are and move on to setting up the Upstream. Remember the application URL from our initial step? That URL will serve as our Upstream URL (using http and no trailing /).
If everything looks good, go ahead and click on Save & Deploy.
As the API is not directly accessible due to internal routing, calling it directly will result in a timeout. However, by calling it through the Flex Gateway, you should be able to retrieve the expected response.
Let's proceed with a GET request to /directory through the Flex Gateway URL.
Or you can view the User Directory OpenAPI documentation from our reference app directly on a web browser by using the same URL.
Congratulations, you've successfully exposed an internal API deployed in Heroku Private Spaces to the outside world through the Anypoint Flex Gateway running on Heroku. Now you can take full advantage of Anypoint API Manager's capabilities, including API-Level policies.
Securing your API with Anypoint Flex Gateway
A common pattern for API authentication is using Client ID Enforcement. You can avoid coding your own solution by utilizing the API Manager to apply policies to your API. In this example, we'll implement Client ID enforcement to secure the API.
To begin, let's establish an application within Anypoint Platform that will enable us to access the API. Navigate to Exchange, select your API, and in the top right corner, click on Request access.
Then, pick the API instance where your API is deployed, and select an application to grant access to. If you don’t have one, you can create a new application here and click on Request access to obtain the Client and Client Secret credentials.
Upon your application's approval, you'll receive the Client ID and Client Secret. These credentials will be needed for accessing our newly secured API, so be sure to keep them at hand.
Next, navigate to API Manager, choose the API, and click on Policies in the left menu. Click on Add policy, then select Client ID Enforcement and proceed to Next.
Leave the default configuration for the Client ID Enforcement policy and then click on Apply.
Now that the policy is active, let’s try again a new GET request to the /directory API through the Flex Gateway URL.
Because we're enforcing the Client ID, we must include it in the request. Let's purposely use an incorrect one to witness the authentication attempt failure.
And finally, let's get the right Client ID and Client Secret in place to test the authentication.
This is just one simple but powerful example of one of many policies that you can apply on the API Manager.
What’s next?
In our next blog post, we'll delve into the various policies you can employ to improve your API with additional authentication, rate limiting, IP allowlist/blocklist measures, and more. We'll also show you how to register your API as an External MuleSoft service in Salesforce, ready to be called from Flow and Apex.
Strategic Collaboration for our Customers
The Heroku Customer Solutions Architecture (CSA) team, in collaboration with MuleSoft Engineers, played a pivotal role in this Salesforce multi-cloud integration scenario, they listened to customers and got involved in understanding requirements and technical constraints to propose a preliminary proof-of-concept and a series of incremental changes to achieve a perfect match between Heroku and MuleSoft Flex Gateway.
Heroku Enterprise customers with Premier or Signature Success Plans can request in-depth guidance on this topic from the CSA team. Learn more about Expert Coaching Sessions here or contact your Salesforce account executive.
Learning Resources
- Anypoint Flex Gateway Overview
- Anypoint API Manager documentation
- API Management with MuleSoft Demo series
- Heroku Private Spaces documentation
Authors
Julián Duque
Julián is a Principal Developer Advocate at Heroku, with a strong focus on community, education, Node.js, and JavaScript. He loves sharing knowledge and empowering others to become better developers.
Parvez Mohamed
Parvez Syed Mohamed is a seasoned product management leader with over 15 years of experience in Cloud Technologies. Currently, as Director of Product Management at MuleSoft/Salesforce, he drives innovation and growth in API protection.
Andrea Bernicchia
Andrea Bernicchia is a Senior Customer Solutions Architect at Heroku. He enjoys engaging with Heroku customers to provide solutions for software integrations, architecture patterns, best practices and performance tuning to optimize applications running on Heroku.