This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

is DMZ required

Posted on 04-08-2016 10:36 AM
banto_78
New Member
Reply posted on --/--/---- --:-- AM

Hi all,

what is the practice to deploy Edge with respect to DMZ? Is Edge directly exposed to Internet? I think that considering the features like spike arrest etc.. Edge does not need to be in a DMZ. What's your thoughts?

thanks lot.

1 6 2,036
Topic Labels
6 REPLIES 6

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @bantobanto Apigee Edge is perfectly capable of being deployed in the DMZ, infact we have several customers who do that. As you are aware the product is architected so that certain components can be deployed in the DMZ (usually Router / Message Processor) and other components (Cassandra, ZooKeeper, Postgres, Qpid, Mgmt Server etc) can be deployed behind internal firewalls. This is a common deployment for B2B or external traffic coming into your APIs. Typical policies include Traffic Management policies such as Spike Arrest, Quotas & security policies like OAuth, SAML etc.

Another common pattern is to deploy a pair of Router / Message Processors behind an internal firewall (in addition to the ones in the DMZ) to provide API management for A2A / Internal API traffic.

All of the above configurations can be seamlessly managed with a unified Management server/UI.

Posted on --/--/---- --:-- AM
banto_78
New Member
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Thanks @Prithpal Bhogill. And what can you say when Edge is deployed not on premise but as managed service (Cloud version)? How do you secure that, if needed at all?

thanks lot.

0 Likes

Posted on --/--/---- --:-- AM
apininja
Staff
Reply posted on --/--/---- --:-- AM

Hi @bantobanto When Apigee is deployed in the cloud, it is generally not in a DMZ, as it is not behind your own firewall. Apigee Edge is then generally exposed directly to the Internet, although the connection from Apigee Edge to your backends, might be done through a DMZ.

Apigee is typically secured by:

South-bound (to your back-end)

- Mutual SSL (http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service)

- SNI (http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service#enabling-sni)

- IP whitelisting

North-bound (to consumers)

- SSL (http://docs.apigee.com/api-services/content/configuring-ssl-cloud-based-edge-installation)

- API Keys (http://docs.apigee.com/api-services/content/api-keys)

- OAuth (http://docs.apigee.com/api-services/content/oauth-home)

Posted on --/--/---- --:-- AM
banto_78
New Member
In response to apininja
Reply posted on --/--/---- --:-- AM

Hi @kbouwmeester thanks for your reply. Two comments though:

  • i am just curios how you do whitelisting if Apigee in the cloud does not guarantee static IP
  • can you pls elaborate more how SNI would support the use case?

thanks lot.

0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to banto_78
Reply posted on --/--/---- --:-- AM

@bantobanto for enterprise Edge customers we do provide static IP addresses for our gateway that can be whitelisted on your end.

0 Likes

Posted on --/--/---- --:-- AM
banto_78
New Member
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

thanks @Prithpal Bhogill

0 Likes