Anypoint Flex Gateway Release Notes

1.9.4

June 4, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.4.

Fixed Issues

Issue Resolution	ID
Deploying Flex Gateway with IPv6 disabled no longer causes an error.	W-18671361

Issue Resolution

Deploying Flex Gateway with IPv6 disabled no longer causes an error.

W-18671361

1.9.3

May 28, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.3.

What’s New

Flex Gateway now supports the Model Context Protocol (MCP) and the Agent2Agent (A2A) Protocol, enabling you to secure, manage, and govern agent interactions:

You can Publish Flex Gateway MCP and A2A Server instances.

See Publishing Flex Gateway MCP and A2A Server instances.
Flex Gateway now includes MCP and A2A policies. Using these new policies, you can:
- Protect agent interactions: Require that agents are invoked with appropriate authentication and authorization.
- Enhance agent requests: Modify incoming prompts with additional context to improve server agent execution.
- Provide centralized oversight: Enable frictionless agent visibility, logging, and insights for debugging and optimization.
- Secure connections: Restrict MCP endpoint access to authorized agents only.
- Simplify governance: Provide centralized visibility and control over all interactions.
Flex Gateway now includes these policies:

A2A Policies:
- A2A Schema Validation: Verify requests conform to the A2A schema.
  See A2A Schema Validation Policy.
- A2A Agent Card: Proxy the agent through Flex Gateway by rewriting the agent card.
  See A2A Agent Card Policy
- A2A PII Detector: Detect sensitive information in messages sent to and from agents.
  See A2A Personally Identifiable Information (PII) Detector Policy.
- A2A Prompt Decorator: Modify prompt behavior by injecting custom prompts into requests.
  See A2A Prompt Decorator Policy.
- Server-Sent Events (SSE) Content Logging: Log content sent by agents for audit and compliance needs.
  See SSE Logging Policy.
MCP Policies:
- MCP Schema Validation: Verify requests conform to the MCP schema.
  See MCP Schema Validation Policy.
- MCP Support: Enable MCP support and enable Server-Sent Events (SSE).
  See MCP Support Policy.
- Attribute-Based Access Control: Allows you to control access to tools, resources, and prompts, based on Cedar expressions.
  See MCP Attribute-Based Access Control Policy.

To learn more, see:

1.9.2

May 12, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.2.

Fixed Issues

Issue Resolution	ID
The Flex Gateway 1.9.1 TLS context configuration deployment regression is now fixed.	W-18483362

Issue Resolution

The Flex Gateway 1.9.1 TLS context configuration deployment regression is now fixed.

W-18483362

1.9.1

May 8, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.1.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The `onDelete` event no longer causes a panic.	W-18368903
The Flex Gateway 1.9.0 ForwardProxy regression is now fixed.	W-18202000
The `expires_in` attribute in the OAuth credential injection policy is now correctly spelled.	W-18201673
Redis keys no longer collide if multiple Flex Gateways use the same Redis server.	W-18004157
Redeploying one API instance after updating a TLS Context now updates the context for APIs that share the TLS context.	W-17737710

The onDelete event no longer causes a panic.

W-18368903

The Flex Gateway 1.9.0 ForwardProxy regression is now fixed.

W-18202000

The expires_in attribute in the OAuth credential injection policy is now correctly spelled.

W-18201673

Redis keys no longer collide if multiple Flex Gateways use the same Redis server.

W-18004157

Redeploying one API instance after updating a TLS Context now updates the context for APIs that share the TLS context.

W-17737710

1.9.0

March 18, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.9.0.

What’s New

Managed Flex Gateway on CloudHub 2.0

Flex Gateway now includes Managed Flex Gateway, a fully hosted version of Flex Gateway on CloudHub 2.0. Managed Flex Gateway provides high availability, autoscaling, less operational overhead, and regular automatic patches and upgrades.

Note: To use Managed Flex Gateway, ensure the business group you want to deploy your gateway to has Managed Flex Gateway Resources.

See Deploy a Managed Flex Gateway to CloudHub 2.0.
Flex Gateway Version Lifecycle

MuleSoft introduces two new release channels, Edge and Long-term Support (LTS). Both release channels are available in all deployment models: Managed Flex Gateway, Self-Managed Flex Gateway Connected Mode, and Self-Managed Flex Gateway Local Mode. Edge releases will be available three times per year, and LTS releases will be available once a year.

See Flex Gateway Version Lifecycle.
Outbound Policy Support

Outbound policies are policies applied to specific upstreams. To find the new outbound policies, see Outbound Policies Directory.

To apply outbound policies with UI, see Applying Policies for Managed Flex Gateways and Connected Mode. To apply a policy to a service in Local Mode, see Secure an API with an Automated Resource-Level Policy.
Flex Local Configuration Cache

Flex Gateway running in Connected mode can now cache its gateway configuration in shared storage for faster replica initiation, reduced startup times, and accelerated autoscaling.

See Configuring Flex Gateway Configuration Caching in Connected Mode.
Flex Scalability

Flex Gateway now supports up to 1,000 APIs per gateway.
API Timeouts

Flex Gateway now provides the Stream Idle timeout, Response timeout, and Upstream Idle timeout. You can apply the timeouts to the gateway or individual APIs and upstreams as policies. To learn more, see:

Fixed Issues

Issue Resolution	ID
When deployed to a Virtual Machine (VM), a Self-Managed Flex Gateway no longer fails to restart after an abrupt stop of the VM.	W-17640917

Issue Resolution

When deployed to a Virtual Machine (VM), a Self-Managed Flex Gateway no longer fails to restart after an abrupt stop of the VM.

W-17640917

Known Issues

The Flex Gateway is unable to send logs when a forward proxy is enabled known issue Leaving the Site was introduced in Flex Gateway 1.9.0.

For more information, see Salesforce Known Issues Leaving the Site and set the category to Mulesoft Flex Gateway.

1.8.3

January 29, 2025

MuleSoft announces the release of Anypoint Flex Gateway 1.8.3.

What’s New

Flex Gateway now provides the FLEX_DOWNSTREAM_CONNECTION_BUFFER_LIMIT_BYTES environment variable to limit new connections read and write buffers. By default, the buffer limit is 1MB.
Flex Gateway now provides the FLEX_ENVOY_HEADERS_ENABLED environment variable to remove Envoy headers from requests. By default, the variable is set to false.
Integrated Runtime Logs in Runtime Manager

You can now access and manage Flex Gateway runtime logs directly within Runtime Manager, which streamlines diagnostics and improves operational efficiency.
Flex Gateway Security Best Practices

Flex Gateway documentation now has information about securing Flex clusters, including recommended practices for certificate management and storage.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-17430713
The XSS vulnerability in the Schema Validation policy is now fixed.	W-17450881
Flex Gateway no longer requests client certificates when inbound mTLS isn’t enabled.	W-17424531

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-17430713

The XSS vulnerability in the Schema Validation policy is now fixed.

W-17450881

Flex Gateway no longer requests client certificates when inbound mTLS isn’t enabled.

W-17424531

1.8.2

December 13, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.2.

What’s New

Envoy is now updated to version 1.29.9.
The External Authorization Policy now provides the Path prefix parameter to set a prefix to the value of the Path authorization request header.

See External Processing Policy.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-16844648
The Message Logging policy now properly escapes double quotes.	W-16981526
Forward proxy credential configuration with special characters no longer fails.	W-17329371

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-16844648

The Message Logging policy now properly escapes double quotes.

W-16981526

Forward proxy credential configuration with special characters no longer fails.

W-17329371

1.8.1

September 27, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.1.

What’s New

The External Processing policy now provides the Failure mode allow, Max message timeout, and Allow mode override parameters to further configure Flex Gateway’s communication with the external processing service.

See External Processing Policy.
The Flex Gateway documentation now provides Flex Gateway limits outlining Flex Gateway specifications for information such as max APIs per gateway, contracts per API, and request header payload size.

See Limits.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
The severity level of the `Details are not recognized as violation` message is decreased from `WARN` to `DEBUG`.	W-15844673
Vulnerabilities detected by scanners are now fixed.	W-16844648

The severity level of the Details are not recognized as violation message is decreased from WARN to DEBUG.

W-15844673

Vulnerabilities detected by scanners are now fixed.

W-16844648

1.8.0

August 14, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.8.0.

What’s New

Flex Gateway now provides a readiness probe to ensure that a Flex Replica is configured correctly and ready for incoming traffic. Use the readiness probe to enable external entities, such as load balancers, to perform gateway health checks to ensure traffic only reaches healthy gateways.

See Configuring a Readiness or Liveness Probe.
The Flex Gateway documentation now provides architecture diagrams detailing best practices for multiple-region, high availability, and disaster recovery deployments.

See Flex Gateway Multiple Region Deployments.
Flex Gateway deployments deployed in Docker containers are now distroless images. Distroless images improve security by only containing the essential runtime components to reduce potential attack surface.
The JWT Validation Policy now supports multiple JWKS servers.

See JWT Validation Policy.
The Mastering API Integration: Salesforce, Heroku, and MuleSoft Anypoint Flex Gateway blog provides details for running Flex Gateway on the Heroku platform.
Fluent Bit is now updated to version 3.0.6.
Flex Gateway no longer supports Ubuntu Bionic, Debian Buster, and RHEL 8.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway now enables you to remove the `Server` header via the `FLEX_REMOVE_SERVER_HEADER` environment variable.	W-13961645
Flex Gateway no longer fails to download assets from Anypoint Platform after an upgrade or downgrade.	W-15665983
Flex Gateway no longer fails to start after an upgrade on RPM-based systems.	W-16285842
The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.	W-16124513

Flex Gateway now enables you to remove the Server header via the FLEX_REMOVE_SERVER_HEADER environment variable.

W-13961645

Flex Gateway no longer fails to download assets from Anypoint Platform after an upgrade or downgrade.

W-15665983

Flex Gateway no longer fails to start after an upgrade on RPM-based systems.

W-16285842

The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.

W-16124513

1.7.2

August 27, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.2.

Fixed Issues

Issue Resolution	ID
Vulnerabilities detected by scanners are now fixed.	W-16188012
The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.	W-16124513
Flex Gateway no longer crashes when an API instance name exceeds the 50 character limit.	W-15941334

Issue Resolution

Vulnerabilities detected by scanners are now fixed.

W-16188012

The JSON Threat Protection policy no longer fails on Windows systems when the payload contains escape characters.

W-16124513

Flex Gateway no longer crashes when an API instance name exceeds the 50 character limit.

W-15941334

1.7.1

June 26, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.1.

What’s New

Flex Gateway now supports SUSE Linux Enterprise 15 for x86_64 and IBM PowerPC (ppc64le) architectures.

For more information, refer to Downloading Flex Gateway.
The Message Logging policy now supports additional DataWeave expressions.

For more information, refer to Message Logging Policy DataWeave Support.
Configure the FLEX_FORWARD_CLIENT_CERT_DETAILS environment variable to handle x-forwarded-client-cert (XFCC) HTTP headers. Possible values include the following strings:
- SANITIZE
- FORWARD_ONLY
- APPEND_FORWARD
- SANITIZE_SET
- ALWAYS_FORWARD_ONLY
  
  The FLEX_FORWARD_CLIENT_CERT_DETAILS environment variable configuration applies to all API instances.
  
  For more information, refer to Envoy documentation.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway certificate renewal command no longer fails.	W-15870723
Flex Gateway no longer fails when an upstream uses the `P-384` or `P-521` ECDH curves.	W-15666251
Vulnerabilities detected by scanners are now fixed.	W-15895967
Flex Gateway running in Connected Mode no longer fails if an asset name is too long.	W-15941334
The severity level of the `Details are not recognized as violation` message is decreased from `WARN` to `DEBUG`.	W-15844673
Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.	W-16151550

Flex Gateway certificate renewal command no longer fails.

W-15870723

Flex Gateway no longer fails when an upstream uses the P-384 or P-521 ECDH curves.

W-15666251

Vulnerabilities detected by scanners are now fixed.

W-15895967

Flex Gateway running in Connected Mode no longer fails if an asset name is too long.

W-15941334

The severity level of the Details are not recognized as violation message is decreased from WARN to DEBUG.

W-15844673

Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.

W-16151550

1.7.0

May 6, 2024

MuleSoft announces the release of Anypoint Flex Gateway 1.7.0.

What’s New

Flex Gateway now supports RHEL 9 for IBM PowerPC (ppc64le) architecture.

For more information, refer to Downloading Flex Gateway.
Flex Gateway now supports Debian Bookworm and Amazon Linux 2023.
Flex Gateway no longer supports Amazon Linux 2.
Flex Gateway now supports the following container orchestration services:
- Amazon Elastic Container Service (Amazon ECS)
- Azure Container Service (ACS)
- Google Cloud Run
- AWS Fargate
The flexctl check connections command enables debugging issues with network and registration.

For more information, refer to Troubleshoot Platform Connections.
The flexctl check http command enables client URL requests.

For more information, refer to Troubleshooting Request Connection.
External Authorization policy now supports configuring upstream headers and timeouts.
Envoy is now updated to version 1.29.3.
Fluent Bit is now updated to version 2.0.11.

Fixed Issues

Issue Resolution ID

Issue Resolution	ID
Flex Gateway now sends logs under Anypoint Platform downtime conditions.	W-14899674
Flex Gateway now sets the log lines date correctly in VMs.	W-14659532
OAuth policy no longer fails to initialize in the ABI WASM.	W-14388776
Client ID Enforcement policy no longer uses a different shared data partition when a new policy instance is added.	W-14584415
HTTP Caching policy no longer generates a duplicate serialization.	W-14557325
OAS policy no longer tries to deserialize non-YAML or non-JSON files.	W-15243907
Flex Gateway no longer fails when the same TLS context is used for inbound and outbound requests.	W-14328663
The default connection timeout is now increased to 5 seconds.	W-14865784
Vulnerabilities detected by scanners are now fixed.	W-14856151
The performance of config processing is improved.	W-14821830
Flex Gateway now properly handles removed contracts.	W-14920631
Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.	W-14801480
Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.	W-13797100
Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.	W-14801403
Flex Gateway now blocks traffic when a policy can’t be applied.	W-14669249
Fixed vulnerabilities detected by security scanners.	W-14686172
Flex Gateway now prevents files from being automatically deleted during OS cleanup.	W-14583807
The `flexctl dump` command no longer shows an error when there are no resources to dump.	W-11194730
Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than `default`.	W-14506137
OAS policy no longer fails when attempting to define an `enum` for integers.	W-14496441
Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.	W-14389347
Logging policy now correctly handles DataWeave expressions with variables returning `null`.	W-14423354
Header Removal policy is now able to remove the `Accept` header.	W-14417832
Logging policy no longer fails when trying to print a log with non-utf8 characters.	W-14707180
Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.	W-14189688
Flex Gateway no longer sends empty log lines to the platform.	W-14658813
Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.	W-16151550

Flex Gateway now sends logs under Anypoint Platform downtime conditions.

W-14899674

Flex Gateway now sets the log lines date correctly in VMs.

W-14659532

OAuth policy no longer fails to initialize in the ABI WASM.

W-14388776

Client ID Enforcement policy no longer uses a different shared data partition when a new policy instance is added.

W-14584415

HTTP Caching policy no longer generates a duplicate serialization.

W-14557325

OAS policy no longer tries to deserialize non-YAML or non-JSON files.

W-15243907

Flex Gateway no longer fails when the same TLS context is used for inbound and outbound requests.

W-14328663

The default connection timeout is now increased to 5 seconds.

W-14865784

Vulnerabilities detected by scanners are now fixed.

W-14856151

The performance of config processing is improved.

W-14821830

Flex Gateway now properly handles removed contracts.

W-14920631

Schema Validation policy now returns a 404 status code for resources that do not exist in the API specification.

W-14801480

Rate Limit policy defined using a Selector in Local Mode no longer applies an incorrect quota when matching multiple APIs.

W-13797100

Message Logging policy now attempts to parse messages using Windows-1252 charset if it fails to parse messages as UTF-8.

W-14801403

Flex Gateway now blocks traffic when a policy can’t be applied.

W-14669249

Fixed vulnerabilities detected by security scanners.

W-14686172

Flex Gateway now prevents files from being automatically deleted during OS cleanup.

W-14583807

The flexctl dump command no longer shows an error when there are no resources to dump.

W-11194730

Healthcheck policy no longer fails if Flex Gateway is installed on a namespace other than default.

W-14506137

OAS policy no longer fails when attempting to define an enum for integers.

W-14496441

Healthcheck and JWT Validation policies no longer use HTTP for external requests when on TLS.

W-14389347

Logging policy now correctly handles DataWeave expressions with variables returning null.

W-14423354

Header Removal policy is now able to remove the Accept header.

W-14417832

Logging policy no longer fails when trying to print a log with non-utf8 characters.

W-14707180

Flex Gateway now force-kills Fluent Bit ten seconds after a term signal is sent.

W-14189688

Flex Gateway no longer sends empty log lines to the platform.

W-14658813

Flex Gateway no longer supports the TLS_RSA_WITH_NULL_SHA cipher because Envoy stopped supporting the cipher.

W-16151550