This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee to connect to external rest end point

Posted on 07-26-2023 06:08 AM
ani-prabhakaran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello everyone,

    A little background, we have a few legacy spring boot applications, which are connecting to external systems through rest API, these connections are TLS enabled. Now it's been decided to containerise these legacy spring boot apps and host them on GKE. Also, it's been decided that all spring boot container apps that will be hosted on GKE are going to connect to external systems via Apigee.

What would be the correct approach to connect spring boot apps to external systems via Apigee using a TLS connection. Will there be two TLS connections with different certificates? that is

first TLS connection from the spring boot app to Apigee (using Apigee's certificate), then Apigee will initiate a new connection to the external system (using the external system's certificate)

Thanks

Ani.

 

Solved Solved
0 2 113
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes - that is the correct approach. 

Apigee acts as a reverse proxy in the network. As a result, when managing APIs through Apigee, there are two connections: one from the client to Apigee, and another from Apigee to the upstream or target system.  Each of these connections will use a distinct TLS context. You can use 1-way or 2-way (mutual) TLS on either or both of those connections.  Typically, the client->Apigee connection is 1-way TLS, and Apigee->upstream is 2-way TLS. The reason for that is the clients are often "unmanaged" or outside of the ownership domain of an organization, which means the organization cannot provision keys and certificates to each distinct client. 

But in your case the Spring boot apps running in GKE are the "clients".  And these clients are managed by you.  So you may wish to use 2-way TLS between the Sprint boot apps and Apigee. 

Or not.  

Either way works. 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes - that is the correct approach. 

Apigee acts as a reverse proxy in the network. As a result, when managing APIs through Apigee, there are two connections: one from the client to Apigee, and another from Apigee to the upstream or target system.  Each of these connections will use a distinct TLS context. You can use 1-way or 2-way (mutual) TLS on either or both of those connections.  Typically, the client->Apigee connection is 1-way TLS, and Apigee->upstream is 2-way TLS. The reason for that is the clients are often "unmanaged" or outside of the ownership domain of an organization, which means the organization cannot provision keys and certificates to each distinct client. 

But in your case the Spring boot apps running in GKE are the "clients".  And these clients are managed by you.  So you may wish to use 2-way TLS between the Sprint boot apps and Apigee. 

Or not.  

Either way works. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ani-prabhakaran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks for your valuable input

Jump to Solution
Top Solution Authors
View all