Boost API Security: 7 Flex Gateway Strategies for Cloud & Hybrid Environments

In today’s interconnected digital landscape, APIs are the backbone of seamless data exchange across applications, devices, and services. However, managing APIs across multiple environments—whether on-premises, cloud, or hybrid setups—presents challenges around security, scalability, and performance. This is where Flex Gateway comes in. 

Flex Gateway is an ultrafast, lightweight API gateway that acts as a secure layer on top of APIs, helping businesses control traffic, enforce security policies, and monitor performance across diverse environments. With its seamless integration into DevOps pipelines and support for various deployment models, Flex Gateway strategies empowers teams to deliver secure, scalable, and high-performing APIs wherever they are needed. 

What is Flex Gateway?

Flex Gateway is an Envoy-based, ultrafast, lightweight API gateway that acts as a secure layer on top of the APIs, and it is designed to manage and secure APIs running anywhere.

Built to integrate with DevOps and CI/CD workflows seamlessly, Flex Gateway delivers the performance required for the most demanding applications and microservices while providing enterprise security and manageability across any environment.

Where is Flex Gateway Required?

Flex Gateway is particularly useful when:

• Working with real-time data, where efficient and reliable data transfer is critical.
• You need secure, high-performance API management, especially in hybrid or multi-cloud environments. 
• APIs are outside the MuleSoft ecosystem but still require centralised governance. 
• Teams are using DevOps and CI/CD pipelines for automation. 
• Flexible deployment is essential to adapt to varying infrastructure needs.

Real-life example of a flex gateway?

Consider a large financial services institution with a complex IT landscape. 
They have: 

• Legacy systems: running on-premises mainframes handling core banking functions. 
• Modern microservices: deployed in a cloud environment like AWS or Azure for mobile banking and online loan applications.
• Third-party APIs: for credit checks and payment processing

Here, the fly Gateway is used for the following factors. 

1. Securing and Managing APIs across Environments: 

• Flex Gateway instances are deployed near the legacy systems on-premises to secure and manage APIs exposing data from the mainframes. 

• Separate Flex Gateway instances are deployed within the cloud environment to manage and secure the microservices. 

• This allows consistent application of security policies (e.g., authentication, authorization, rate limiting) and traffic management rules across all APIs, regardless of their deployment location. 

2. Facilitating Real-time Data Exchange: 

• When a customer applies for a loan through the mobile app, the request goes through the Flex Gateway in the cloud, which then securely routes it to the relevant microservices. 

• These microservices might in turn call APIs exposed by the on-premises legacy systems (managed by another Flex Gateway) to retrieve customer data or initiate a credit check with a third-party service (also potentially managed by Flex Gateway for policy enforcement).

3. Centralized Control and Observability:

•  All these distributed Flex Gateway instances are managed centrally from the AnyPoint Platform’s API Manager. 

• This provides a single pane of glass for monitoring API traffic, enforcing policies, and gaining insights into API performance and usage across the entire hybrid environment.

When to implement?

When you need a high-performance, secure, and flexible way to manage APIs, especially in hybrid or multi-cloud environments.

How is it implemented in MuleSoft?

You can configure the gateway in one of two ways: connected mode by using the Anypoint Platform web user interface, or you can configure the gateway locally to manage APIs in private environments.

1. Connected mode:

Connected mode is used to manage APIs within the Any Point platform. We can manage API policies and monitor traffic from the UI. 

• Configure Replicas - Any point Flex Gateway enables you to create replicas, which are instances of Flex Gateway. By default, Flex Gateway runs as a single replica. Running multiple replicas enables scaling, load balancing, and high availability.
• Configure TLS Context - Flex Gateway enables you to configure a TLS context to support regular TLS and MTLS in both inbound and outbound directions. 
• Configure Shared Storage - Flex Gateway enables you to configure shared storage for distributed caching and rate-limiting policies. 
• Configure a Forward Proxy - Flex Gateway enables you to configure a forward proxy to route external HTTP connections through a proxy connection. 
• Configure with the API Manager API Tool - Flex Gateway enables you to configure and manage Flex Gateway via the API Manager API tool, a command-line tool used to communicate with API Manager. 
• Configure a Liveness Check - Flex Gateway enables you to run a liveness check command to test gateway health. Additionally, Flex Gateways deployed on Kubernetes include a liveness probe to restart pods after a specified number of failed checks automatically. 
• Configure PROXY Protocol - Flex Gateway supports PROXY protocol to preserve the client IP address when servicing multi-layer connections. 
• Automate Flex Gateway with a Jenkins Pipeline using Any point CLI - Flex Gateway enables you to build a Jenkins Pipeline by using Any point CLI to automate workflows.
• Automate Flex Gateway with a Jenkins Pipeline using the API Manager API - Flex Gateway enables you to build a Jenkins Pipeline by using the API Manager API to automate workflows.  
• Configure Distributed Tracing - Flex Gateway enables you to configure distributed tracing for your APIs. 

2. Local mode:

Local mode enables the management of APIs in a private environment that runs independently. Configurations are applied via YAML files. This is non-UI-based management. 

• Configure Replicas – Any point Flex Gateway enables you to create replicas, which are instances of Flex Gateway. By default, Flex Gateway runs as a single replica. Running multiple replicas enables scaling, load balancing, and high availability. 

• Configure TLS Context – Flex Gateway enables you to configure a TLS context to support regular TLS and mTLS in both inbound and outbound directions. 

• Configure Shared Storage – Flex Gateway enables you to configure shared storage for distributed caching and rate-limiting policies. 

• Configure a Forward Proxy - Flex Gateway enables you to configure a forward proxy to route external HTTP connections through a proxy connection. 

• Configure a Liveness Check – Flex Gateway enables you to run a liveness check command to test gateway health. Additionally, Flex Gateways deployed on Kubernetes include a liveness probe to restart pods after a specified number of failed checks automatically. 

• Configure PROXY Protocol – Flex Gateway supports PROXY protocol to preserve the client IP address when servicing multi-layer connections. 

Configure Distributed Tracing – Flex Gateway enables you to configure distributed tracing for your APIs. 

Flex Gateway deployment types or styles:

1. Managed Flex Gateway 

The managed model facilitates application deployment on Cloud Hub 2.0, with MuleSoft handling infrastructure, scaling, and patching. Teams that want low ops overhead and fast setup opt for the Managed model. 

2. Self-managed Flex Gateway

The self-managed model facilitates the deployment of applications on Docker, Linux, and other operating systems.  We will have complete control over handling infrastructure, scaling, and patching, among other aspects.

What deployment models use Flex Gateway?

Flex Gateway supports multiple deployment models, which apply to both Connected Mode and Local Mode: 

1. Standalone Deployment 

In a standalone deployment, Flex Gateway acts as a standalone service that protects one or more integration API flows by managing internal traffic. 

As the above diagram shows, all traffic is inside an organisation-owned network. The traffic passes through Flex Gateway before reaching the consumer APIs. 

2. Ingress Deployment

Like a standalone deployment, in an ingress deployment, Flex Gateway acts as a standalone service that protects one or more integration API flows. However, in an ingress deployment, Flex Gateway manages external traffic entering the internal network. Ingress deployment is the most common deployment model. 

Flex Gateway can act as both an ingress and an egress gateway.

As the above diagram shows, all external traffic passes through Flex Gateway before reaching the consumer APIs. Flex Gateway is typically deployed behind a load balancer, and the consumer application does not belong to the same network as Flex Gateway or the APIs. 

3. Egress Deployment 

An egress deployment is the opposite of an ingress deployment. Flex Gateway still acts as a standalone service that protects one or more integration API flows. However, in an egress deployment, Flex Gateway manages internal traffic exiting the internal network, for example, API requests to non-organisation-owned APIs. 

Flex Gateway can act as both an ingress and an egress gateway.

As the following diagram shows, all internal traffic from the consumer application passes through Flex Gateway before reaching the external APIs. 

4. Sidecar Deployment 

In a sidecar deployment, each Flex Gateway deployment only protects the APIs exposed by its protected service. A new Flex Gateway replica is added with each new protected service. 

As the following diagram shows, traffic in a sidecar deployment passes through Flex Gateway to the respective consumer API. The consumer application can belong to the same network as Flex Gateway or an external network. 

Note: Flex Gateway can be applied not only to MuleSoft but also to other applications developed with Java, .NET, Python, etc. 

Reference:

    About Flex Gateway: blog 

    About Flex Gateway Deployment Models: deployment models 

    About Deployment types: Deployment types 

    Real-time example: Link 

Flex Gateway Implementation in Mule Any Point Platform 

1. Configuring Flex Gateway in Connected Mode:

            ▪ connected mode: This mode can be implemented in the Any Point Platform. 

                                                                       Any point platform 

                                                                                        ↓ 

                                                                           Control plane 

                                                                                         ↓ 

                                                           Runtime Manager & API Manager 

             ▪ connected mode has three types of configurations to create a flex gateway 

                   A). OAuth Token
                   B). Connected App
                   C). Platform credentials  

           ▪ Benefits of connected mode:     
                  1. Flexible
                 2. Control

1(A). Flex Gateway in connected mode using token: 

Details:     * Deployment on Docker 

                                  *  Connected Mode – OAuth Token 

                                  *  Single Replica 

                                  * Add external non-mule Api 

                                 * Securing API with Client Enforcement Id Policy 

 STEPS: 

 Step 1: First, open the Anypoint platform 

Step 2: Go to Runtime Manager and select Flex Gateway 

Step 3: For the trial version, the Managed Flex Gateway was not available.

Select the option under the Managed Flex Gateway tab. 

After selecting that option, you will find options available in the opened tab, as shown in the image below. Select the container option and then choose Docker. 

After selecting Docker, we can see the steps to follow to create the Flex Gateway.

Before starting the setup, you need to download and install Docker Desktop. 

After installing Docker, navigate to the Docker directory under Program Files. Select the directory, then go inside and choose Docker. Inside Docker, you’ll find another Docker directory; select that one

Step 8: Select Docker Desktop as shown in the above image.

Now we can proceed with the steps that we have seen in the Anypoint platform. So, in the ‘C’ drive, create a folder for Flex Gateway, and inside that, create another folder for connected mode.

Step 10: Inside that connected mode folder, open the command prompt

Step 11: Now, copy the first command for the Anypoint platform > Runtime Manager > Flex Gateway > Container > Docker.

Step 12: After copying the command, paste it into the command prompt. 

Now, we can use the latest Docker image that has been downloaded in Docker Desktop.

 Step 14: Next, copy the second command from the platform, paste it into Notepad, and make the changes mentioned below.

1. Remove the spaces and slashes in the command. 
2. In the place of “$(pwd)”, add the path where you have created the folder for the Flex Gateway. 
3. And in the place of <gateway-name>, add the name of your flex gateway (add your own name). 

   

Step 15: Ensure all changes are made correctly, referring to the image above. 

 After the changes, paste the command into the command prompt. 

After running this command, you will see a message indicating that we have successfully registered a gateway. 

To make the created Flex Gateway operational, we need to run the Flex Gateway. To do this, we copy the command from the platform. 

For the above command, make the following changes. 

1. Remove the spaces and slashes in the command. 
2. In the place of “$(pwd)”, add the path where you have created the folder for the Flex Gateway. 
   

Step 20: Now paste the modified command in the command prompt. 

 Step 21: After running that command, we can find this message at the end in the command prompt (which means the Flex Gateway was created and is up and running). 

Also, you can see the Flex Gateway running on your platform

The flex gateway has been created, and we can now add the external API under it
To add an external (non-Mule API) open that created the flex gateway, follow these steps. 

After opening the Flex Gateway, we see three options on the left side of the page under the environment. We select “APIs”.

After selecting APIs, we can click on the “Add API” tab and open it.

As shown in the image above, select Runtime Flex Gateway, scroll down a bit, and you’ll find the Flex Gateway option. 

After selecting the flex gateway, the page does not end. You can find an option called “Next” at the bottom right; click on that. 

After clicking on “Next,” you can see the image below.

Select “Create New API” and provide a name for the asset, along with the asset type (Rest, HTTP, SOAP), as per your non-Mule application. After that, click on “Next”

Now, on the next page, it will appear like the image below. 

As shown in the image above, select the protocol, add the port and base path, and then click “Next”. 
After clicking “Next,” you will be able to see the page below.

Step 32:As mentioned in the above image, add the URL of the external API and click on “Next.

Step 33: After moving to the next page, verify all the details and click on the “save & deploy” option.
Now, the next page will appear like the image below, which shows that the non-mule API was added to the API-Manager and published to the exchange.


For the non-mule application added above, we can add policies in Api-Manager and create client IDs and client Secrets in Exchanges for rate limiting, client enforcement, and other ID policies.
Here, I have added the Client ID Enforcement policy.

Next, exchange and generate the client ID and client secret for the API based on the API Instance ID.

Now that we have added the policy, we can test the API using the URL mentioned below. 
URL: http://localhost:8081/api33/api/2 
The above URL indicates that the deployed application is running on localhost and the port specified in the command, which is also used when adding an API in Flex Gateway, along with the base path provided during API addition in Flex Gateway.
Step 39:The Remaining path is the path of the external Api (non-Mule API).
Step 40: By using the above URL, we can test the application from Postman.

If you are not passing any authentication, we will receive an error for the external API 

This is the process for creating a flex gateway using connected mode, configuring with a Token, adding external APIs to it, and applying policies on those APIs 

Note: We can also add Mule APIs under the same Flex Gateway. For that, we need to select the APIs from the exchange. This option is available in “step 28” (Select Api from Exchange). And then we need to add the Cloud Hub URL of the Mule application “step 31”. The rest of the process will remain the same as a non-Mule application. 

1(B). Flex Gateway in connected mode using Connected App: 

            Details:     * Deployment on Docker 

                                  *  Connected Mode – Connected App 

                                  *  Single Replica 

                                  * Add external non-mule Api 

                                 * Securing API with Client Enforcement Id Policy 

STEPS: 

Step 1: Open Anypoint Platform and go to Access Management. 

After going to Access Management, select the connected apps. 

Step 3: After selecting the connected apps, click on Create App and try to create a new app. 

After clicking on “Create App,” add the app’s name and select “App acts on its own behalf (client creds)” as the app type, as shown below. 

Step 5: Now, click on the Add Scopes option as mentioned in the above image and add the following scopes. 
In the search bar, search for these scopes. Manage Servers 2. Read Servers 3. View Organization. 



Step 6: Click Next and save the app.

Step 7: To create the fly gateway, we can use the existing Docker image or follow steps 1-13. 

Next, we need to register the Flex Gateway using the command below. 

                        “ docker run –entrypoint flexctl -v “flex-gateway path“:/registration mulesoft/flex-gateway registration create –client-id= “connected app client id” –client-secret=”connected app client secrcet” –environment=”environment id” –connected=true –organization=”organization id” –output-directory=/registration ‘name of flex-gateway’ ” 

Step 9: Create a folder for the Flex Gateway and add that path in the above command in place of “flex-gateway path”  

Step 10: Now go to the created connected app and copy the client ID and secret, and add them to the above command (step 8). 


Step 11: Go to API Manager and select the environment option. 
After selecting that environment, we can see the environment ID, copy it, and add it to the above command. 

Step 13: Open the Anypoint platform, navigate to Access Manager, and then select the business group. 

Step 14: After selecting the business group, select the business group ID. 

Step 15: Copy the business group ID and add it to the above command. 
Step 16: Now add the name of the flex gateway in the place of “gateway name”.
Step 17: Then the final command will appear as mentioned below. 

Next, copy the final command and open the Command Prompt in the directory where the Flex Gateway was created. Then, run the command. 

Step 19: By the above command, we can register a Flex gateway. 

Now, to make the Flex Gateway up and running, run the command below. 

                  “docker run –rm -v “path“:/usr/local/share/mulesoft/flex-gateway/conf.d -p 8081:8081 mulesoft/flex-gateway ” 

Step 21: In the above command, in place of the path, add the Flex Gateway directory path. 
Step 22: Copy that command and run it in the command prompt. 

Now we can see the Flex Gateway has been created and is running. 

Next, follow steps 23-40 above, add the API under the Flex Gateway, apply policies, and then test it. 

 This is the process for creating a flex gateway using connected mode, configuring with a connected app, adding external APIs to it, and applying policies on those APIs 

2. Configuring Flex Gateway in Connected Mode:

            ▪ local mode: This mode can be implemented on the local machine. 

                                                                       Aypoint platform 

                                                                                        ↓ 

                                                                        Control plane 

                                                                                         ↓ 

                                                                        Configuring using a YAML file 

  2(A). Configuring Flex Gateway in Local Mode: 

                        Details:     * Deployment on Docker 

                                             *  Local Mode – Connected App 

                                             *  Single Replica 

                                             * Add external non-mule Api and security in. Yaml file 

                                             * Securing API with Basic Authentication Policy 

 Note: In local mode, we use a .yaml file to add the API to the Flex Gateway and secure it, as we have made all these configurations locally. 

STEPS: 

First, delete the Docker image and container if it was already installed. Otherwise, follow steps 6 to 8 from “Flex Gateway in connected mode using token” to download and install Docker Desktop. 

Because we are configuring the Flex Gateway with a ‘connected app’ in local mode, we must first establish a connection. Follow steps 1–6 from the “Flex Gateway in connected mode using Connected App” 

To create a Flex Gateway, we need to install a Docker image. 

To create the command, follow steps 8 to 17 in “Flex Gateway in connected mode using Connected App”. Ensure the flex gateway name is unique. 

Step 5: Create a new directory for Local Mode on your desktop, and then open a command prompt in that path. 


Step 6: Paste the command into the command prompt and run it. This will install the latest Docker image and register a Flex Gate way. Also, we can see a registration YAML file in the directory created.

Next, we need to make the Flex Gateway available in the platform by running it. 
Step 8: Use the command below 

“Docker run –rm -v “path“:/usr/local/share/mulesoft/flex-gateway/conf.d -p 8081:8081 mulesoft/flex-gateway ” 

Step 9: In the above command, in place of the path, add the Flex Gateway directory path. 

Step 10: After placing the directory path in the above command, paste the command in the command prompt where you registered the Flex Gateway and run it. 

Step 11: Now, verify that the Flex Gateway is available and running on the platform.

Step 12: The flex gateway is now available, and we can proceed to add the necessary APIs. To do this, we need to create a YAML config file in the directory designated for the Flex Gateway. 

In the created config file, we need to add the external API details, which we want to add under the Flex Gateway. The image below is the syntax for adding API details in the config file. 

Syntax: apiVersion: gateway.mulesoft.com/v1alpha1 

                                                  kind: ApiInstance 

                                                  metadata: 

                                                    name: config 

                                                 Spec: 

                                                   address: http://0.0.0.0:8081 

                                                   Services: 

                                                        jsonapi: 

                                                            address: https://jsonplaceholder.typicode.com 

                                                            Routes: 

                                               – rules: 

                                                                  – path: /jsonapi/(.*) 

After adding the above syntax to the config file, the Flex Gateway will automatically update, as shown in the command prompt. 

Step 15: Next, attempt to request the external application using the local host URL. We will then receive a response from it. Find the image below. 

Additionally, we can add multiple applications under a single flex gateway. Refer to the image below for the syntax.

Now we can apply policies for the application as well in the same config file; for that, use the syntax below.

After adding the policies tag in the configuration file, it will be automatically added to the application. 

Step 19: Now test the application with and without authentication. 

This process involves creating a flex gateway in local mode, configuring it with a connected app, adding external APIs, and applying policies to these APIs. 

For the creation and implementation of flex gateways across different modes and deployment models, refer to the link below. 

Conclusion

Flex Gateway empowers organisations to manage and secure APIs with the agility, speed, and resilience required in today’s fast-paced technological ecosystem. Whether you’re dealing with legacy systems, cloud-native applications, or third-party integrations, it provides the tools to unify API governance across environments without compromising performance or security. 

With seamless integration into DevOps pipelines and support for diverse deployment models, Flex Gateway is a powerful solution for teams aiming to deliver reliable, secure, and scalable APIs anywhere.