Guide

Monitor Protector instances

A Protector instance is a single running copy of the Protector software on your infrastructure. Depending on your deployment environment, Protector instances can run as sidecars in Kubernetes-based deployments, or as virtual machine instances created from a reverse proxy AMI or OVA image.

In the App & API Protector Hybrid Connection Configurations page, you can monitor instances running for a given Connection Configuration at a given moment of time. To do that:

  1. Visit Akamai Control Center and log in.
  2. Go to > WEB & DATA CENTER SECURITY > App & API Protector Hybrid > Connection Configurations.
  3. Select a Connection Configuration you want to investigate and expand its detailed view.
  4. Go to the Instances tab.

The list of instances shows the total number of Protector instances present at the time of generating the Connection Configuration view. For each instance you can see the following details:

  • Instance ID. A unique number assigned to an instance.
  • Status. An indication of whether App & API Protector Hybrid can process heartbeat requests from a given Protector instance and if your application protections are enabled. There are three possible statuses that you can see:
    • Good. It means that App & API Protector Hybrid is successfully processing heartbeat requests from a Protector instance and that your applications are protected.
    • Warning. App & API Protector Hybrid is receiving heartbeat requests from a Protector instance, but protections are disabled. In this case it’s best to check the Activity log of a Connection Configuration to see what’s happening. You can also check your network connectivity.
    • Problem. App & API Protector Hybrid is not receiving heartbeat requests, or the outbound traffic (from the reverse proxy to an application load balancer or your origin application) may not be routing correctly. Your protections are off. Network problems or service unavailability could be responsible. Go to the Activity log to examine what might be the problem and check if you don’t have any connectivity issues.
  • Protector version. All instances should have the same software version installed. If your Protector instances are using an outdated software version, App & API Protector Hybrid will not be able to push the latest protection rules. The current support policy includes the last 3 software versions.
    The only exception for instances not having the same software version, is when you use the same registration token for two Kubernetes clusters. In that case the software version may differ, though we do recommend using two separate tokens for different clusters. If software versions are different for the Protector instances, perform the upgrade.
  • Security Configuration version. Your Security Configuration version defines the set of rules, settings, and security policy used by Protector to interpret and manage traffic. Read about the Security Configuration’s versioning.
  • Uptime. The time during which a Protector instance is actively running.
  • Last seen. A timestamp that reflects when App & API Protector Hybrid last processed heartbeat requests from a given Protector instance.

Expand individual instances to see their details:

  • Instance IP. It’s a Protector instance IP address (the address where the reverse proxy receives incoming traffic).
    • TLS termination. It indicates if the incoming traffic is encrypted or decrypted. Protector detects if the TLS termination is enabled or disabled at the reverse proxy layer. If TLS is already terminated (for example, in the external load balancer that is in front of the reverse proxy), the traffic reaching the reverse proxy is already unencrypted. In such cases, we report the TLS termination state based on what the reverse proxy observes, not the full end-to-end chain. More on TLS and mTLS support.
    • Server certificate expiry date. Indicates the date and time when the TLS certificate presented during the inbound connection to the reverse proxy will expire.
  • Target host/IP. IP address or hostname where traffic is sent on its way to the origin application.
    • Outbound encryption. Indicates if the traffic from Protector to the origin application is encrypted or not. If TLS encryption is enabled for the outbound traffic, the reverse proxy uses the configured certificate to encrypt traffic.
    • Client certificate expiry date. Indicates the date and time when the TLS certificate used for encrypting the outbound traffic from reverse proxy to the next hop (application load balancer or the origin application) will expire. This refers to the certificate configured by you, used by the reverse proxy to establish secure TLS connections during outbound communications.

Understand Connection Configuration events

It is crucial that all instances of Protector installed on your infrastructure are running smoothly and that App & API Protector Hybrid is able to process their heartbeat requests. It means that all protections are on, and your applications are secure. Whenever you notice that there’s a problem with one of the instances, go to a given Connection Configuration detailed view and check its Activity log.

The Connection Configuration Activity log captures various events related to the configuration itself, including instance registration or removal, invalid tokens, certificate exchanges, rule updates, and failures in loading rules. You can check the Activity log whenever there’s a problem with any Protector instances running within this Connection Configuration and take action. Activity log provides records for the past month.

Updated 1 day ago