BIG-IP APM integration with Open Policy Agent (OPA)

Table of Contents

 

In this article, we are exploring a technical deployment where BIG-IP APM integrates with Open Policy Agent (OPA) via HTTP Connector to fetch client authorization information and enforce access. 

 

Open Policy Agent (OPA)

OPA is a unified policy engine for cloud-native environments, enabling policy-as-code across infrastructure, APIs, and data.

Open Policy Agent (OPA) is widely adopted across industries for cloud-native authorization and policy management. 

OPA is widely used in the market, 

  • Used by around 50% of Fortune 500 companies (per OPA’s creator) in sectors like finance, tech, and healthcare.
  • Major adopters: Netflix, Goldman Sachs, Airbnb, Uber, Pinterest, and Cisco.
  • Kubernetes: Integrated with Istio, Kubernetes Gatekeeper, and cloud platforms (EKS, AKS, GKE).

 

BIG-IP APM HTTP Connector

HTTP Connector enables BIG-IP APM to post an HTTP request to an external HTTP server. This enables APM to make HTTP calls from a per-request policy without the need for an iRule, for example. The typical use for an HTTP Connector is to provide access to an external API or service. For example, you can use the HTTP Connector to check a server against an external blocklist, or an external reputation engine, and then use the results in an Access Policy Manager per-request policy. 

 

Lab environment and configurations

Lab setup, 

  • BIG-IP APM v15.1+ 
  • OPA server. 
  • Backend (API endpoint)

BIG-IP APM HTTP Connector request shown below uses APM access variables to fetch authorization level from OPA server. 

 

Related Content 

Updated May 14, 2025
Version 2.0
application delivery
security
Verified Designs
No CommentsBe the first to comment