Is TLS between Router and MessageProcessor necessary when they are on the same host?

Not applicable

In the docs:

http://docs.apigee.com/private-cloud/latest/configuring-ssl-between-router-and-message-processor

it explains how to enable TLS encryption between a Router and the Message Processor but does not explain why or when this is necessary.

In a topology where the Router and the Message Processor are on the same node, is this necessary?

In such a topology, are the R and MP talking to each other via a localhost address, and if so, does this mean that traffic will go via the loopback device? As such there is no risk of a packet capture on another host from picking up this traffic 'in the clear'.

I would also point out that none of the topologies mentioned in the docs have R and MP on different nodes so there must be a reason for enabling TLS that I'd like to understand:

http://docs.apigee.com/private-cloud/latest/installation-topologies

Solved Solved
0 3 514
2 ACCEPTED SOLUTIONS

I think your premise is not valid. You wrote:

In a topology where the Router and the Message Processor are on the same node, is this necessary?

Have you had a chance to look at the port diagram - http://docs.apigee.com/private-cloud/latest/installation-requirements#hardwarerequirements ? In general, the R and MP communicate on more than local loopback. In typical installations we do not recommend just a single R + MP, and as you expand number of R's and MP's they communicate with each other, obviously across the network.

Therefore your question is moot. There is a need to secure the R-> MP link with TLS.

Hope this explains better for you. I'm more than happy to add more details if needed.

View solution in original post

Not applicable

@Rohan Cragg as Christin mentioned above, a typical Edge installation will have two or more Routers and Message Processors (MP). Routers will be sending traffic to all available MPs on the Gateway Pod. So not all traffic will be local within the same machine.

TLS between Router and MP can be enable if you have requirements for end-to-end (Client > LB > Router > MP > Backend) encryption. The requirement will be driven by your security practices, adherence to certifications and/or regulatory constrains.

View solution in original post

3 REPLIES 3

I think your premise is not valid. You wrote:

In a topology where the Router and the Message Processor are on the same node, is this necessary?

Have you had a chance to look at the port diagram - http://docs.apigee.com/private-cloud/latest/installation-requirements#hardwarerequirements ? In general, the R and MP communicate on more than local loopback. In typical installations we do not recommend just a single R + MP, and as you expand number of R's and MP's they communicate with each other, obviously across the network.

Therefore your question is moot. There is a need to secure the R-> MP link with TLS.

Hope this explains better for you. I'm more than happy to add more details if needed.

Not applicable

@Rohan Cragg as Christin mentioned above, a typical Edge installation will have two or more Routers and Message Processors (MP). Routers will be sending traffic to all available MPs on the Gateway Pod. So not all traffic will be local within the same machine.

TLS between Router and MP can be enable if you have requirements for end-to-end (Client > LB > Router > MP > Backend) encryption. The requirement will be driven by your security practices, adherence to certifications and/or regulatory constrains.


In general traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it's being sent to an address on one of the machine's network adapters (you can directly verify this with tcpdump and wireshark).

All routers send traffic to all message processors (full HA and internal load balancing of API traffic), so, in even the minimum HA configuration you do have traffic sent across the network. So if you need encryption on the wire, you will need to do it even if R and MP are sharing VM's.