Is TLS between Edge UI and Edge Management API necessary when they are on the same host?

Not applicable

In the docs:

http://docs.apigee.com/private-cloud/latest/configuring-ssl-management-api#configuretheedgeuitousetl...

it states that: "Apigee recommends that you disable HTTP access in production environments"

But in a topology where the Management Server and Edge UI are on the same node, why is this necessary? If UI and MS are talking to each other via a localhost address, does this not mean that traffic would go via the loopback device? As such there is no risk of a packet capture on another host from picking up this traffic 'in the clear' (HTTP).

I would also point out that none of the topologies mentioned in the docs have UI and MS on different nodes:

http://docs.apigee.com/private-cloud/latest/installation-topologies

Solved Solved
0 3 290
1 ACCEPTED SOLUTION


In general traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it's being sent to an address on one of the machine's network adapters (you can directly verify this with tcpdump and wireshark).


If you only have one MS and one MSUI (non HA, non-API traffic), then see above. No traffic going on the wire unencrypted.

If you have more nodes, it depends on your topology, but rule is that there will be no plaintext traffic on the wire if each UI points to it's MS to the same host. If you need UI's to connect to a Loadbalancers across multiple MS nodes, then you do need to encrypt internode traffic (I understand this is not your case).

View solution in original post

3 REPLIES 3

Not applicable

Rohan,

As before (MP question) it depends on your security practices. But generally speaking it is not required.

You can enable TLS on UI or terminate TLS for UI on the Load Balancer used for UI and keep MS as HTTP.


In general traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it's being sent to an address on one of the machine's network adapters (you can directly verify this with tcpdump and wireshark).


If you only have one MS and one MSUI (non HA, non-API traffic), then see above. No traffic going on the wire unencrypted.

If you have more nodes, it depends on your topology, but rule is that there will be no plaintext traffic on the wire if each UI points to it's MS to the same host. If you need UI's to connect to a Loadbalancers across multiple MS nodes, then you do need to encrypt internode traffic (I understand this is not your case).

sgilson
Participant V

Also, leaving HTTP access to the management API enabled just for the Edge UI means the API is also available over HTTP externally unless you lock down port 8080.

Stephen