Apigee for wizard¶

You can connect the Wallarm Edge node to Apigee API Management to inspect traffic in either synchronous or asynchronous mode - without blocking any requests.

Follow the steps below to set up the connection.

1. Create a key value map in Apigee

Define the WallarmConfig key value map (KVM) to store Wallarm connector configuration:

Create the WallarmConfig KVM at the environment level using the following Apigee API call:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "WallarmConfig",
    "encrypted": true
  }' \
  "https://apigee.googleapis.com/v1/organizations/<APIGEE_ORG_ID>/environments/\
  <APIGEE_ENV>/keyvaluemaps"

<APIGEE_ORG_ID> - the Google Cloud project name, <APIGEE_ENV> - the Apigee environment.

Add the node_url entry with the full domain name of your Wallarm Node including protocol (e.g., https://wallarm-node-instance.com) to the WallarmConfig KVM using the following Apigee API call:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "node_url",
    "value": "<WALLARM_NODE_URL>"
  }' \
  "https://apigee.googleapis.com/v1/organizations/<APIGEE_ORG_ID>/environments/\
  <APIGEE_ENV>/keyvaluemaps/WallarmConfig/entries"

2. Deploy Wallarm shared flows

Each traffic analysis mode (synchronous or asynchronous) requires 2 shared flows: one for requests and one for responses.

Download the provided code bundle for your platform.
In Google Cloud Console → Proxy development → Shared flows, Upload bundle from Wallarm-Inline-Request-Flow.zip for synchronous mode or from Wallarm-OOB-Request-Flow.zip for asynchronous mode.
Deploy the uploaded flow.
In the same section, upload the corresponding response flow archive (Wallarm-Inline-Response-Flow.zip or Wallarm-OOB-Response-Flow.zip).
Deploy the response shared flow.

3. Apply shared flows to your APIs

You can apply the Wallarm shared flows globally to all API proxies in an environment, or attach them only to specific API proxies.

To enable the connector for all proxies in an environment, attach the Wallarm flows as flow hooks:

Proceed to Google Cloud Console → Management → Environments → select your environment → Flow hooks.
Assign the deployed Wallarm flows:
- Pre-proxy → Wallarm-Sync-Request-Flow for synchronous mode or Wallarm-Async-Request-Flow for asynchronous mode.
- Post-proxy → Wallarm-Sync-Response-Flow for synchronous mode or Wallarm-Async-Response-Flow for asynchronous mode.

To attach the Wallarm shared flows only to specific API proxies, use the Flow Callout policies:

Proceed to Google Cloud Console → Proxy development → API proxies → select the API proxy to protect → Policies → Add policy.
Create the request policy:
- Policy type: Flow Callout
- Name and Display name: FC-Wallarm-Node-Request
- Sharedflow: Wallarm-Sync-Request-Flow for synchronous mode or Wallarm-Async-Request-Flow for asynchronous mode
Create the response policy:
- Policy type: Flow Callout
- Name and Display name: FC-Wallarm-Node-Response
- Sharedflow: Wallarm-Sync-Response-Flow for synchronous mode or Wallarm-Async-Response-Flow for asynchronous mode
Attach the policies to the proxy flows:
- Request → PreFlow → select FC-Wallarm-Node-Request
- Response → PostFlow → select FC-Wallarm-Node-Response
Add FC-Wallarm-Node-Response with <AlwaysEnforce>true</AlwaysEnforce> to the default fault rule of your proxy.

When a proxy returns 4xx/5xx, Apigee skips the PostFlow by default. Adding the policy to the fault rule ensures the response is still sent to the Wallarm Node.
```
...
  <FaultRules/>
  <DefaultFaultRule name="DefaultFaultRule">
    <AlwaysEnforce>true</AlwaysEnforce>
    <Step>
      <Name>FC-Wallarm-Node-Response</Name>
    </Step>
  </DefaultFaultRule>
...
```
Save and Deploy a new API proxy revision.

More details