secure API using apigee

Not applicable

We are planning to expose a couple simple API to our customers. I am hoping that Apigee can help with the authentication piece with OAuth2.

But I don't know how we can expose our api to Apigee securely without exposing them to the rest of internet?

Can you please help?

Solved Solved
0 7 793
1 ACCEPTED SOLUTION

@Pete He , Welcome to Apigee Community !

Thank you @snehal chakraborty for the great pointers, Just to add on top of what Snehal mentioned above,

Regarding, Exposing your api to Apigee securely without exposing them to the rest of internet,

We call it last mile security. Apigee recommends using 2 way TLS to secure connection between Apigee & Target. Find more about last mile security here. You need to purchase Apigee Edge to do same.

You have mentioned your API as internal, Is it exposed to Internet / Inside DMZ Environment ?

If, It's accessible outside your network, You can Apigee Edge Cloud & Secure connection between your backend servers & Apigee using 2 way TLS as explained here.

If API is inside DMZ environment & not accessible outside your network, You can use Apigee Edge OnPremise & do same 2 way TLS. Apigee offers 3 deployment models. Cloud , OnPremise, Hybrid.

Hope it helps. Keep us posted moving forward if any.

View solution in original post

7 REPLIES 7

Hi,

What kind of security are you talking about ? Is it southbound security between Apigee and the backend or the northbound security on providing side. There are various approaches for both the cases. Selection of an approach really depends on your design & business requirements.

How do I secure our internal api to Apigee? Can you please help?

You can try 1 way TLS which is the simplest or 2 way TLS. Also you can some kind of authentication mechanism like username/password at application level as well.

Refer this link

@Pete He , Welcome to Apigee Community !

Thank you @snehal chakraborty for the great pointers, Just to add on top of what Snehal mentioned above,

Regarding, Exposing your api to Apigee securely without exposing them to the rest of internet,

We call it last mile security. Apigee recommends using 2 way TLS to secure connection between Apigee & Target. Find more about last mile security here. You need to purchase Apigee Edge to do same.

You have mentioned your API as internal, Is it exposed to Internet / Inside DMZ Environment ?

If, It's accessible outside your network, You can Apigee Edge Cloud & Secure connection between your backend servers & Apigee using 2 way TLS as explained here.

If API is inside DMZ environment & not accessible outside your network, You can use Apigee Edge OnPremise & do same 2 way TLS. Apigee offers 3 deployment models. Cloud , OnPremise, Hybrid.

Hope it helps. Keep us posted moving forward if any.

Thanks for your answer, we can expose the backend service to the internet. I am try to implement based on the link you provided.

It says "Create a keystore on Edge and upload the Edge cert and private key. This cert and private key is typically supplied by the backend server. ", if the backend web service is asp.net web api on IIS with certificate from trusted CA, how do I get cert and the private key from the backend server?

Since Apigee platform is making the call to the backend service, it requires its own key and certificate. You need to create public/private key pair and a csr. Either generate a self signed certificate and share the csr with a CA to get a certificate. Once you have the certificate, convert into .pem format, if not already. Also convert the private key into .pem format. Put the private key and certificate pem files in a jar. Create a keystore on edge and upload the jar inside the keystore.

Refer this link

thanks you snehal