Skip to main content

MTE API Relay

Introduction

MTE API Relay is an end-to-end encryption system that protects HTTP traffic between server applications. It acts as a proxy server that encodes and decodes payloads using Eclypses MTE software, an encryption library combining quantum-resistant algorithms with proprietary, patented techniques to secure data.

Below is an architecture where a server application communicates through an MTE API Relay container, which then transmits proxied traffic to another API Relay that decodes and delivers the request to its upstream API service:

Typical Use Case

View MTE API Relay on the Azure Marketplace


Prerequisites

Technical Requirements

  • Two services that use HTTP to communicate with each other.

Skills and Knowledge

  • Familiarity with AKS and/or Kubernetes.
  • General familiarity with Azure Services.
  • Experience with the Azure CLI.

Deployment Options

MTE API Relay is provided as a Docker image and can be deployed on Azure AKS, or manually using another container runtime.

1. Azure Kubernetes Service (AKS)

If kubectl is already configured for your AKS cluster:

Example Deployment File (deployment.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-mte-api-relay-deployment
spec:
replicas: 1
selector:
matchLabels:
app: azure-mte-api-relay
template:
metadata:
labels:
app: azure-mte-api-relay
spec:
containers:
- name: azure-mte-api-relay
image: <CONTAINER_IMAGE>
ports:
- containerPort: 8080
env:
- name: CLIENT_ID_SECRET
value: <YOUR CLIENT ID SECRET HERE>
- name: CORS_ORIGINS
value: <YOUR CORS ORIGINS HERE>
- name: UPSTREAM
value: <UPSTREAM VALUE HERE>
- name: OUTBOUND_TOKEN
value: <OUTBOUND TOKEN HERE>
- name: SECRET
value: <SERVER SECRET HERE>
---
apiVersion: v1
kind: Service
metadata:
name: azure-mte-api-relay-service
spec:
type: LoadBalancer
selector:
app: azure-mte-api-relay
ports:
- protocol: TCP
port: 80
targetPort: 8080

Commands

kubectl apply -f deployment.yaml
kubectl get all
kubectl delete -f deployment.yaml

2. Docker Image

You can also run the image using Docker, Podman, K3s, or Docker Swarm.

Commands

az acr login --name <ACR_REGISTRY_NAME>

docker pull <ACR_REGISTRY_NAME>.azurecr.io/eclypses/mte-api-relay:latest

Refer to the Server Configuration section for required environment variables.


Server Configuration

MTE API Relay is configured using environment variables.

Required Variables

  • UPSTREAM – Upstream API or service URL.
  • CLIENT_ID_SECRET – Secret for signing client IDs (minimum 32 characters).
  • OUTBOUND_TOKEN – Token appended to requests to denote the intended outbound recipient.
  • SECRET – Shared secret required for exchanges; mismatches will cause decoding failures.
  • REDIS_URL (recommended for production) – Redis cluster for maintaining session pairs across load-balanced containers.

Optional Variables

  • PORT – Default: 8080.
  • LOG_LEVEL – One of trace, debug, info, warning, error, panic, off. Default: info.
  • PASS_THROUGH_ROUTES – Routes proxied without MTE encoding.
  • MTE_ROUTES – If set, only listed routes use encoding; others return 404.
  • CORS_ORIGINS – Comma-separated list of allowed origins.
  • CORS_METHODS – Default: GET, POST, PUT, DELETE.
  • HEADERS – Object of custom headers.

Minimal Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
OUTBOUND_TOKEN='abcdefg1234567'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'

Full Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
OUTBOUND_TOKEN='abcdefg1234567'
SECRET='sharedsecret1234567890'
REDIS_URL='redis://10.0.1.230:6379'
PORT=3000
LOG_LEVEL=info
PASS_THROUGH_ROUTES='/health,/version'
MTE_ROUTES='/api/v1/*,/api/v2/*'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'
CORS_METHODS='GET,POST,DELETE'
HEADERS='{"x-service-name":"mte-api-relay"}'

Testing & Health Checks

  • Monitor startup logs in Azure Monitor. Successful logs include:

    • MTE instantiated successfully.
    • Server listening at http://[0.0.0.0]:8080
  • Test Echo route:

    curl 'http://<DOMAIN>/api/mte-echo?msg=test'
  • Expected response:

    {
    "echo": "test",
    "time": "<timestamp>"
    }

Monitoring

Azure Managed Grafana

  1. Create a Grafana workspace in Azure.
  2. Add Azure Monitor as a data source (service principal auth recommended).
  3. Import the provided dashboard:

Dashboard Metrics

  • Requests Processed [req/sec]
  • Request Time [ms]
  • Outbound Proxy Time [ms]
  • Upstream Proxy Time [ms]
  • Average Request Encode Time [ms]
  • Average Request Decode Time [ms]
  • Average Response Encode Time [ms]
  • Average Response Decode Time [ms]

Performance Metrics

Performance was measured with ~1 kb request/response payloads:

ConcurrencyReq/Sec RelayReq/Sec APIRelay %Extra Latency (Median)
50092.69498.5%+10 ms
60017918397.8%+17 ms
65021522695.1%+45 ms
700225.7267.684.3%+202 ms

Note: At higher volumes (≥650 concurrent), scaling across multiple Relay instances is recommended.


Troubleshooting

  1. Invalid Configuration
    • Check logs for missing/invalid environment variables.
  2. Relay unreachable
    • Verify Network Security Groups and load balancer settings.
  3. Redis connection issues
    • Ensure Redis is properly deployed and credentials are correct.

Security

  • No sensitive data is stored in the container.
  • No root privileges required.
  • Should be deployed in the same VNet as the upstream service to ensure proxied traffic remains internal.

Costs

The service uses a usage-based cost per instance per hour.
Associated Azure services include:

Azure ServicePurpose
AKSContainer orchestration
Azure Cache (Redis)State/session management
Azure MonitorLogging and monitoring
VNetNetworking isolation
Azure Load BalancerScaling across Relay containers
Azure Key VaultRecommended for secrets/env vars

Maintenance

Routine Updates

  • Updated container images are distributed through the Azure Marketplace.

Fault Recovery

  • Relaunch the Relay container pod; API Relays will automatically re-pair.

Service Limits

Key/Variable Rotation Recommendations

  • Rotate the CLIENT_ID_SECRET and OUTBOUND_TOKEN every 90 days as per security best practices.

Supported Regions

MTE API Relay is supported in most Azure regions, except:

  • Azure Gov
  • UAE and Bahrain Regions
  • China

Support

For assistance, contact Eclypses Support:
📧 customer_support@eclypses.com
🕒 Monday–Friday, 8:00 AM–5:00 PM MST (excluding holidays)