These instructions will guide you through provisioning the App & API Protector Hybrid Reverse Proxy from AWS Marketplace, configuring it for your environment, and securing it for production use.

Akamai supports the standard deployment approach using the AWS Console and a pre-built AMI. This method provides a consistent, tested image of the reverse proxy VM, and automates configuration through the dashboard and secrets vault.

If you prefer to automate the provisioning with infrastructure-as-code tools (for example, Terraform), or configure software using Chef or Ansible, you may adapt the workflow to your own tooling.

High-level setup steps

Provision the token in AWS Secrets Manager

Use AWS Secrets Manager to securely store your registration token required by the App & API Protector Hybrid reverse proxy VM instances.
Tokens are automatically generated upon the creation of a new Connection Configuration in Akamai Control Center. To copy the existing token:
- Go to Akamai Control Center and log in with your name and password.
- Go to ☰ > WEB & DATA CENTER SECURITY > App & API Protector Hybrid > Connection Configurations.
- Go to the selected Connection Configuration view and click Manage tokens.
- In the Token management modal, copy the newest active token. You’ll need it to create a secret in AWS Secrets Manager, and to authorize and authenticate Protector instances in your environment.
Go to the AWS Secrets Manager Console to create a secret that stores your token. This secret will be used in later steps when configuring the reverse proxy EC2 instances. After you open the AWS Secrets Manager Console, click Store a new secret.
Choose Other type of secret.
In the Key/value pairs select Plaintext and enter the token.
Click Next.
Create the name for your secret. You can use your own name or follow the default naming convention. The secret name and the tag value must align with the values you will define in the User data section. This ensures that the system can automatically retrieve the correct secret during deployment.
1. Tag key: username.
2. Tag value: enter the value you’ll use for the User data section while creating the reverse proxy EC2 instances, for example, jsmith.
  👍
  All secrets required by Protector (including tokens, TLS certificates, and mTLS keys) must be stored in the same AWS Region as your reverse proxy deployment.
  When creating these secrets in AWS Secrets Manager, make sure to apply the same tag key-value pair (for example, username:<value>). This ensures that the App & API Protector Hybrid Reverse Proxy AMI can retrieve the correct secrets during deployment.
Store TLS certificates, mTLS keys, and any other sensitive secrets required for secure reverse proxy communication in the AWS Secrets Manager.
Click Store.

Environment setup

This section guides you through preparing your environment with a Network Load Balancer, an Application Load Balancer, and your origin application target group, so that it is ready to support the App & API Protector Hybrid Reverse Proxy deployment.

Step 1. Create a VPC and a subnet configuration

Follow the AWS documentation to create a virtual private cloud (VPC) and configure the required subnets. The App & API Protector Hybrid Reverse Proxy AMI requires placement in a VPC with appropriate subnet settings. Ensure that your VPC includes:

An internet gateway attached to the VPC.
A route table configured to direct the Internet-bound traffic to the internet gateway.

Step 2. Create a security group for your VPC

Create a security group to control network access to Protector instances. A security group acts as a virtual firewall at the instance level, allowing you to define which connections are permitted. See the AWS documentation for detailed instructions.

Step 3. Launch EC2 instances for your origin application.

From the Amazon EC2 Console, select Launch instance.
Under Application and OS Images (AMI) select the AMI for your origin application.
Choose the appropriate instance type (for example, t3.medium).
Create or use an existing key pair to access the instance.
In Network settings, place the instances in the VPC you created and assign them to the security group you’ve created for your VPC.
Configure key pairs, storage, and IAM roles as needed.
Choose the number of instances you want to run and launch them.

Step 4. Create a target group for the origin application.

In the Amazon EC2 Console, under Load Balancing, choose Target Groups > Create target group.
Set Target type to Instances.
Select the protocol your origin application listens on (for example, HTTP: 80).
Associate the target group with the VPC you created.
Register EC2 instances with the target group:
1. Open the new target group, then choose Targets > Edit.
2. Select the EC2 instances you’ve just launched.
3. Choose Include as pending below, then Save.
4. Confirm that the instances appear in the target group and health checks begin running.

Your origin application is now deployed. The target group will be later used by the Application Load Balancer in your architecture.

Step 5. Create an internal Application Load Balancer (ALB)

In the Amazon EC2 Console, create an ALB and assign it to the appropriate VPC (it can be the VPC you’ve created in Step 1. The ALB will receive traffic forwarded from the reverse proxy.

Choose the IPv4 address type to assign to the ALB.
Select both Availability Zones in the Network mapping section.
Select the security group that you’ve created for your VPC.
In the Listeners and routing section > routing action, select the target group that you’ve created for your origin application EC2 instances.

See AWS documentation for more details.

Step 6. Configure the Network Load Balancer (NLB).

Configure your VPC so that it contains an Internet-facing Network Load Balancer:

The Network Load Balancer must route to the target group with ALB EC2 instances.
Define routing policies for inbound traffic.
Add a listener to NLB. Select the TCP protocol and enter a port: 80. By default, the NLB must point to the ALB.
Click Add listener.
After you add a listener to the NLB, copy the DNS name from the NLB details and check if it points to your origin application target group. In this way, you ensure that the Network Load Balancer correctly forwards traffic to the origin and confirm that your environment is ready for deploying the App & API Protector Hybrid Reverse Proxy AMI.

Deploy Protector using the provided AMI

Step 1. Launch Protector EC2 instances.

Using the pre-built AMI, launch Protector EC2 instances in the target VPC and subnets:

From the Amazon EC2 Console, select Launch instance.
In the Launch an instance page, enter the instance details:
1. In the Name and tags field, type a descriptive name for your instance.
2. Under Application and OS Images, select Browse more AMIs.
3. Go to the AWS Marketplace AMIs tab and enter App & API Protector Hybrid [BYOL] in the search box.
4. From the results, select the App & API Protector Hybrid [BYOL], then click Subscribe now.
5. Review the subscription terms and confirm.
6. After you subscribe, the AMI will appear back in the Application and OS Images section.
Choose an instance type:
1. Under Instance type, open the dropdown menu.
2. Select t2.medium.
Configure the key pair:
1. Under Key pair (login), select an existing key pair.
2. If you don’t have one, choose Create new key pair, download the private key file, and then select it here.
Configure the Network settings:
1. Click Edit.
2. Select the relevant VPC.
3. Select the desired Subnet.
4. Optional: Auto-assign the public IP. The App & API Protector Hybrid AMI does not require a public IP address or SSH key pair to deploy or register. You can enable a public IP or attach an SSH key pair if you need direct SSH access to the instance for troubleshooting. Otherwise, these settings can remain disabled according to your organization’s practices.
5. For Firewall (security groups), choose Select existing security group.
6. From Common security groups, select the security group relevant for your VPC.
In Configure storage, keep the default settings unless you have specific storage requirements.
Configure Advanced details:
1. Expand the Advanced details section.
2. In the IAM instance profile dropdown, select the IAM role you want to assign (for example, aaph-secrets-manager-role). The role must include permissions to access AWS Secrets Manager so the instance can retrieve the registration token and certificates.
3. Add User data to the instance:
  1. Adjust the region.
  2. Leave the AWS_TAG_KEY=username
  3. Replace <YOUR-USERNAME-VALUE> with the tag value you specified when creating your registration token secret in the Secrets Manager (for example, jsmith).

#!/bin/bash

sed -i 's/^AWS_REGION=.*/AWS_REGION=ap-south-1/' /opt/akamai/aaph/aaph-platform-mgr/default.env

sed -i 's/^AWS_TAG_KEY=.*/AWS_TAG_KEY=username/' /opt/akamai/aaph/aaph-platform-mgr/default.env

sed -i 's/^AWS_TAG_VALUE=.*/AWS_TAG_VALUE=<YOUR-USERNAME-VALUE>/' /opt/akamai/aaph/aaph-platform-mgr/default.env

echo >> /opt/akamai/aaph/aaph-platform-mgr/default.env

echo "LISTENER_CRT_FILE=aaph-<YOUR-USERNAME-VALUE>-listenerCrt" >> /opt/akamai/aaph/aaph-platform-mgr/default.env

echo "LISTENER_KEY_FILE=aaph-<YOUR-USERNAME-VALUE>-listenerKey" >> /opt/akamai/aaph/aaph-platform-mgr/default.env

echo "REGISTRATION_TOKEN_FILE=<YOUR-USERNAME-VALUE>-registration-token" >> /opt/akamai/aaph/aaph-platform-mgr/default.env

Default secret names

Here’s the list of default secrets that will be monitored without user data:

Secret	Supported value	Purpose	Tag key	Tag value	Region
aaph-registrationToken	Direct Plaintext Value	This secret stores the registration token used to register Protector with Akamai services.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-listenerCrt	Direct Plaintext Value	TLS server certificate for the reverse proxy listener.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-listenerKey	Direct Plaintext Value	TLS server certificate key for the reverse proxy listener.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-listenerCA	Direct Plaintext Value	CA certificate for enabling mTLS on the reverse proxy listener.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-upstreamCrt	Direct Plaintext Value	TLS client certificate for the reverse proxy to connect to an upstream service that requires mTLS.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-upstreamKey	Direct Plaintext Value	TLS client certificate key for the reverse proxy to connect to an upstream service that requires mTLS.	aaph-rp	aaph-rp-secrets	us-east-1
aaph-upstreamCA	Direct Plaintext Value	This secret contains the CA certificate used to trust the upstream server certificate signed by the enterprise/ private CA.	aaph-rp	aaph-rp-secrets	us-east-1

Review and launch:
1. Under Summary, set the Number of instances.
2. Review all settings.
3. Select Launch instance. A confirmation banner will appear at the top of the page.
4. Choose View all instances to be redirected to the Instances page in the EC2 Console.
5. In the search bar above the table, type the name you’ve assigned to the instances.
6. Confirm that your new instances appear in the table and that their status progresses from Initializing to Running.

For more information, go to Launch an Amazon EC2 instance.

Step 2. Create a target group for Protector EC2 instances.

In the Amazon EC2 Console, under Load Balancing, choose Target Groups > Create target group.
Set Target type to Instances.
Select the TCP protocol your reverse proxy VM listens on. This cannot be modified after creation.
Ensure that the reverse proxy VM instances listen on the port defined in the Application Load Balancer target group.
Associate the target group with the VPC that you’ve created.
Register reverse proxy EC2 instances with the target group.
1. Open the new target group, then choose Targets > Edit.
2. Select the reverse proxy EC2 instances you’ve just launched.
3. Choose Include as pending below, then Save.
4. Confirm that the Protector EC2 instances appear in the target group and health checks begin running (the health status should include the number of instances you’ve registered).

You have now deployed the Protector EC2 instances as part of your infrastructure.

Step 3. Switch the Network Load Balancer routing.

Update the External Load Balancer configuration to route traffic to the App & API Protector Hybrid reverse proxy target group instead of the origin target group:

In the Amazon EC2 Console, choose Load Balancers.
Go to the Listeners tab of the selected Network Load Balancer.
Edit the listener.
In the Default action section, change the target from the origin target group to the reverse proxy target group. The Network Load Balancer will now route traffic to the reverse proxy target group.

Step 4. Update the Target Host/IP address and listening ports in Akamai Control Center.

Go to Akamai Control Center > App & API Protector Hybrid Connection Configurations and update your Connection Configuration:

Target hostname/IP - copy the DNS hostname and listening ports from the ALB target group page in your AWS Console and paste them into your Connection Configuration’s page.

Step 5. Validate the connection.

After deploying the VM instances, perform the following validation steps:

From each instance, verify network connectivity to the Application Load Balancer.
Confirm that the origin application is reachable through the Application Load Balancer.
Ensure that each instance can establish communication with Akamai systems.
Verify that all deployed instances are successfully registered in the App & API Protector Hybrid Connection Configuration dashboard. To do that, go to the Akamai Control Center > ☰ > WEB & DATA CENTER SECURITY > App & API Protector Hybrid > Connection Configurations. Select a configuration and check if the instance ID matches the one produced in the command output. Its health status should be “Good”.

Learn how to monitor Protector Instances