How do I ensure a developer cannot call the target API directly and use the API proxy instead?

Hi all,

If I am going to expose my internal APIs to the internet so Apigee can proxy it, how do I ensure developers don't call my internal APIs directly?

I have read about whitelisting IP addresses used by Apigee, but how would you go about this if your company's current Apigee setup does not have dedicated IP addresses?

Solved Solved
1 2 315
1 ACCEPTED SOLUTION

Hi @Nicnic Nicnic,

If you are using APIGEE cloud version you can request for IPs which can be whitelisted from your backend. Still there are the options for you to protect your backend -

Even you whitelist Apigee IP, you should still consider to have above points as a part of better security model.

Hope this helps, and let me know if you need more information.

View solution in original post

2 REPLIES 2

Hi @Nicnic Nicnic,

If you are using APIGEE cloud version you can request for IPs which can be whitelisted from your backend. Still there are the options for you to protect your backend -

Even you whitelist Apigee IP, you should still consider to have above points as a part of better security model.

Hope this helps, and let me know if you need more information.

I prefer 2-way TLS.