How do I ensure a developer cannot call the target API directly and use the API proxy instead?
Hi all,
If I am going to expose my internal APIs to the internet so Apigee can proxy it, how do I ensure developers don't call my internal APIs directly?
I have read about whitelisting IP addresses used by Apigee, but how would you go about this if your company's current Apigee setup does not have dedicated IP addresses?
Best Answer
Hi @Nicnic Nicnic,
If you are using APIGEE cloud version you can request for IPs which can be whitelisted from your backend. Still there are the options for you to protect your backend -
- Explore and integrate 2 way SSL https://docs.apigee.com/api-platform/system-administration/about-ssl
- Add CORS and allow only apigee URL even there is no fix IPs for apigee
- Add authentication to the backend apis and and share with APIGEE only so developers won't get direct access to the backend apis.
Even you whitelist Apigee IP, you should still consider to have above points as a part of better security model.
Hope this helps, and let me know if you need more information.
