Edge Cloud to On-prim connectivity

snehansu
Participant III

Hi, I am using edge cloud enterprise version and edge is connecting to on-prim load balancer as backend to our data center. Request flow is like UI-->Apigee-->LB-->Rest API. I could see , I can bypass the apigee and invoke backend apis through LB if we know the url or some data.

What is the best practice or how should be enterprise level connectivity from cloud to on-prim ?

0 2 283
2 REPLIES 2

sidd-harth
Participant V

One of the REST principles is a layered system. Individual components cannot see beyond the immediate layer with which they are interacting. This means that a client connecting to an intermediate component, like a proxy, has no knowledge of what lies beyond.

The whole point of using a proxy layer(Apigee) is to hide/secure the backend implementation.

You can look into TLS,

https://docs.apigee.com/api-platform/system-administration/using-ssl-edge.html

If you have sensitive data in the APIs and want to protect them from API Developers, then have a look at Data Masking, hiding data.

https://docs.apigee.com/api-platform/security/data-masking

The recommendation from apigee for us is to

  • Have an IP whitelisting done on the LB side (I assume it is on-prem in your case).
    • apigee will be able to provide the source IP address of Message processors.
    • Take the source IP and talk to your NOC team to see how to blacklist all IPs and allow ONLY the apigee MP IPs.
  • On top of this, see if you can add Mutual TLS so that the transport layer is secured. This is because, IP spoofing is still a prevalent concern in the industry.