How to implement Traffic control for Management APIs?

Hi Apigeeks,

Is there any option available for On-premise installations to impose traffic control on management APIs? We are working on 14.17.01.05 version of OPDK.

If not then is it planned in any future releases?

Thanks.

0 3 295
3 REPLIES 3

karthik
Participant I

Hi @Mohammed Zuber can you be more specific on use cases for this? Typically Management API's are used by administrators or developers with elevated access for automation/advanced features usage that the UI does not provide. I have noticed some node modules to accomplish some management API functions but need more information before providing any recommendations.


@karthik

Our security team has come up with some use cases on Edge UI where Management APIs are used for doing organization administration and they have raised this question that these APIs can be put to a DOS kind of attack.

Also, these being APIs they should have some kind of traffic control mechanism. If not quota then at least spike control should be there on these APIs.

As you have said these APIs are for automation and while automating if we mistakenly do an infinite loop in scripts then that will result in system breakdown.

One solution that I could think of to this problem is making a passthrough proxy in Edge which will add these missing features.

APIGEE being an API management platform why have they not implemented this feature in their own APIs, if there is, in fact, a concrete rationale behind this then I would like to understand it.

karthik
Participant I

@Mohammed Zuber

I was thinking along the same lines of proxying these requests via a proxy, however DOS attacks occurs on business API's and not necessarily on management API calls. I am a little confused by the use case. Alternatively you can look at Volos node module which has quotes and other traffic controls built in.