I'd like to know if it's possible to enforce an Apigee proxy to be only accessible from other proxies (e.g. for policy composition pattern).
I want to create a few public Apigee proxies that will use the above "private" proxy via ServiceCallouts. However, I'd like to reject direct request to the "private" proxy. The public proxies have OAuth2 authentication policies.
Ideally, the OAuth2 flow variables should also be propagated to the "private" proxy.
Any advice will be very appreciated.
One simple solution is to use a custom header. The private proxy will check for the presence of the custom header in the request and the private proxy will reject requests that do not have that header.
Another solution if you are using OPDK or a dedicated POD on the cloud, you can IP whitelist the private proxy to the Message Processor IPs. So the private proxy will only allow calls from the MP, which means from another proxy, not from outside.