Securely expose Management API for on-premises installation of Apigee Edge

guycrets
Participant IV

Apigee's cloud version exposes the management API via https://api.enterprise.apigee.com. But how to do similar with an on-premise version?

Our on-premises installation of Apigee Edge is located in secure network zone. Management Server is not accessible by our developers. Is there a recommended/standardized approach to expose the Management API endpoint? We would like to expose are own api.enterprise. .com, just like api.enterprise.apigee.com. And this in a (very) secure way.

Would it be possible to add extra authentication based on client certs?

0 7 606
7 REPLIES 7

Yes

I think you want to securely expose endpoints #1 (UI) and/or #2 (API) in the diagram below.

6599-edgesslopdk-v2.png

Is that right?

If so, please consult this documentation page for Apigee Edge.

Normally the management API is secured via basic authentication or OAuth. You asked about client certs. You can do that, too, but probably you will want to configure a network device to handle that. Something like an inbound F5 or Citrix device, or similar, to verify the client-side cert.

The configuration for those network devices is not different when securing Apigee Edge, than it would be for securing any other HTTPS endpoint. For an example of using F5, see this article.

Exactly: how to expose the API of the Management Server (2) in a secure manner, just like the cloud version with its api.enterprise.apigee.com. Is there a recommended approach to set this up, how to replicate the setup as done by Apigee in the cloud?

Or does it boil down to expose it ourselves via load balancer as api.enterprise.<our-org>.com?

yes. the hostname is up to you. It need not be "api.enterprise.mycompany.com . You might want it to be "edgemgmt.mycompany.com" or "api.edge.mycompany.com" or "api.edge.internal.mycompany.com"

At the load-balancer device, you can configure the server-side and client-side certs.

And if you have redundant clones of the Mgmt server, then you will want that load balancer device to intelligently route to the various clones, do healthchecks, etc. Standard HTTP LB stuff.

With Management server in a more secure network zone, there is no option to expose the Management API via the Apigee proxies as well?

Most customers with Apigee on-premise expose the Management API only via their internal network I may assume? Any experience?

guycrets
Participant IV

So require SSL client cert to access the enterprise API of an Apigee on-premise installation.

I understand that you mean "MANAGEMENT API" when you say "enterprise API" .

robert
Participant V

The private cloud management API is on the management server. It is here: <ManagementServer_IP>:8080/v1/<apiURI>

Can you tell us more about your desire (use case) to use client certs? Currently those APIs are secured using an Edge username and password.

If this post answers your question, please click accept to help others.