Edge Cloud to On-prim connectivity
Hi, I am using edge cloud enterprise version and edge is connecting to on-prim load balancer as backend to our data center. Request flow is like UI-->Apigee-->LB-->Rest API. I could see , I can bypass the apigee and invoke backend apis through LB if we know the url or some data.
What is the best practice or how should be enterprise level connectivity from cloud to on-prim ?
Answer by Siddharth Barahalikar
·
Jun 17 at 06:26 AM
One of the REST principles is a layered system. Individual components cannot see beyond the immediate layer with which they are interacting. This means that a client connecting to an intermediate component, like a proxy, has no knowledge of what lies beyond.
The whole point of using a proxy layer(Apigee) is to hide/secure the backend implementation.
You can look into TLS,
https://docs.apigee.com/api-platform/system-administration/using-ssl-edge.html
If you have sensitive data in the APIs and want to protect them from API Developers, then have a look at Data Masking, hiding data.
The recommendation from apigee for us is to
- Have an IP whitelisting done on the LB side (I assume it is on-prem in your case).
- apigee will be able to provide the source IP address of Message processors.
- Take the source IP and talk to your NOC team to see how to blacklist all IPs and allow ONLY the apigee MP IPs.
- On top of this, see if you can add Mutual TLS so that the transport layer is secured. This is because, IP spoofing is still a prevalent concern in the industry.
