Apigee Edge SaaS Cloud Topology
We are starting use of the Apigee Edge SaaS Cloud product ( API management and gateway both on the public cloud ) . I have the following queries around the overall deployment topology from cloud to on-premise services.
- We would typically terminate inbound Internet connections on a reverse proxy within our DMZ. Is there any issues with this setup? Also Apigee edge server can act as a TLS server and client so would we terminate TLS/SSL on the apigee edge cloud for a request coming from a external party or use our reverse proxy in the DMZ.
- What is the best way to cross connect with AWS VPC for some of our services from Apigee Edge SaaS cloud API. We would need network connectivity to both AWS VPC and our on-prem for different requirements.
- Does apigee edge cloud servers have fixed ip address range so that we could use ip whitelisting on our firewall to allow inbound connections.If not please recommend alternatives.
Could you please also share any best practices or reference architecture documentation available for enterprise deployments.
Answer by Anil Sagar @ Google
·
Jul 18, 2018 at 02:26 AM
Glad to know that you are getting started with Apigee Edge On Cloud.
Please find answers for your questions.
We would typically terminate inbound Internet connections on a reverse proxy within our DMZ. Is there any issues with this setup? Also Apigee edge server can act as a TLS server and client so would we terminate TLS/SSL on the apigee edge cloud for a request coming from a external party or use our reverse proxy in the DMZ.
- No Issues, That's how exactly enterprises work.Yes, Between Apigee & Client on northbound you can setup 1-way or 2-way SSL on top of that implement API Security using OAuth, JWT, Keys etc. Between Apigee Edge & Your OnPremises server we recommend using 2-way mutual SSL to secure connection between Apigee & Your Backend. Mutual SSL is most trusted to secure connection between Apigee & Backend so that no one can access backend directly except Apigee. All API calls will be secured using Apigee API Security Features like OAuth , Keys, Tokens on northbound.
- External Party talks to Apigee using 1-way SSL + API Securty, Apigee terminates nortboubd TLS/SSL. You will do API Management in Apigee by creating API Proxies. API Proxies talk to your backend OnPremises using 2-way SSL.
What is the best way to cross connect with AWS VPC for some of our services from Apigee Edge SaaS cloud API. We would need network connectivity to both AWS VPC and our on-prem for different requirements.
- You can connect with both the backends (AWS VPC, OnPremises). Just treat them as two different backends & Secure them using 2-way SSL.
Does apigee edge cloud servers have fixed ip address range so that we could use ip whitelisting on our firewall to allow inbound connections.If not please recommend alternatives.
- Yes, Apigee support team can share same. But we highly recommend Mutual SSL. You can do Mutual SSL + IP Whitelisting.
More about same here
-------------------------------
Anil Sagar
Thank you very much for your prompt response and recommendations. This is very useful.
Followup clarification regarding API Security itself, are there any best practices/recommendations for public facing APIs handling sensitive personal data. Could you please share Apigee best practices/recommendations for this.
