180202 - Apigee Edge for Public Cloud release notes

Self-service virtual hosts and TLS are now generally available

For usage details, see About virtual hosts and TLS/SSL.

Proxy bundle import/update optimizations

Edge will perform stronger validation on API proxy bundles at deploy time. This update helps ensure faster deployments while reducing deployment failures and bundle corruptions when more than one user imports the same bundle at the same time. Following are notable changes and behaviors:

• Each bundle must have a file system root of /apiproxy.
• Edge no longer attempts to ignore paths in an API proxy bundle's resources folder. (For example, Edge no longer ignores .git or .svn directories.)
• If a bundle contains an invalid configuration of more than one API proxy XML configuration file (for example, apiproxy/proxy1.xml and apiproxy/proxy2.xml), there is no guarantee which configuration is used for the API proxy.

Deployment validations

Until this release, Edge had been passively checking API proxy deployments for specific validation errors and notifying organizations through the Advisory tool about required fixes. These advisories, described in Deployment error advisories, were to allow users time to fix issues that would later result in deployment errors when validation was turned on in the product. With this release, Edge now performs those validations and throws deployment errors accordingly.

Autoscaling-aware Spike Arrest policy

A new <UseEffectiveCount> element in the Spike Arrest policy lets you automatically distribute Spike Arrest counts across message processors. When set to true, each message processor divides its allowed spike rate limit by the number of currently active message processors, adjusting the rate limit as message processors are added or removed. The default value is false when the element is omitted from the policy.

For more information, see the Spike Arrest policy topic.

Enhance the MP logging due to connectivity failure

Upgrade Rhino to 1.7.8 and Trireme to 0.9.1

Set default API timeout for all proxies to 55 sec to avoid router timing out earlier

Add logging event for canary deployments

Allow self-signed HTTPS health checks

MP DNS resolution should use an async thread pool

API Product security enhancements

A new organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API Products in verifying API calls. When the property is set to true (the default for organizations created after this release), the following features are enforced.

App creation

When creating a developer or company app, the management API requires that the app be associated with an API product. (The management UI already enforces this.)

API Product configuration

To create or update an API Product, the API Product must include at least one API proxy or a resource path in its definition.

Runtime security

API calls are rejected by an API product in the following situations:

• An API Product doesn't include at least one API proxy or resource path.
• If the flow.resource.name variable in the message doesn't include a resource path that the API Product can evaluate.
• If the app making the API call isn't associated with an API product.

For existing organizations, the property value is false and must be explicitly changed by a user with System Administrator permissions. This means Public Cloud customers must contact Apigee Support to change the property value.

Router-to-Message Processor communication to be secure by default

Fix misclassification of Node.js script errors

AccessControl policy trusted IP

MessageLogging policy to re-resolve DNS on regular interval

TLS certificate chain validation

When creating a keystore alias using a certificate chain, you must separate certificates in the chain by a newline. Edge now throws a 400 Bad Request on alias creation if your certificate chain doesn't meet this requirement.