Backend healthcheck urls should not have security from microgateway

babuk0930
Participant III

We have backend applications running behind microgateway. Each application have their own healthcheck urls.

How to make the healthcheck urls not to have security while the backend application ursl still uses oauth

@Dino-at-Google,

0 10 1,151
10 REPLIES 10

are you accessing health check urls from microgateway URLs?

babuk0930
Participant III

Our blue mix microservice endpoints are secured by micro gateway. And in microservice we have health check endpoints.

So eventhough we hit bluemix endpoints, it routes to micro gateway first then to micro service.

Since the whole application is secured by oauth via micro gateway , how to make health check urls of that application unsecured?

1. Does that mean the microservice endpoint are getting proxied with microgateway? And Oauth is getting enabled to all of the endpoint you have?

2. Is healthcheck URL part of the microservice or microgateway. (it should be a part of the micoservice and accessible through some load balancer.)

Hi @SatK,

We have done a similar implementation but without microgateway. We do have healthcheck URL in each microservice which we have configured on LB and protected this with IP whitelisting and HSTS as of now. We do not proxy the healthcheck URL from apigee at all as healthcheck url is needed by the load balancer only. Also healthcheck doesn't need any auth middleware.

Yes normally it is like that without micro gateway.

For microservice implementation with apigee we followed this

https://github.com/swilliams11/apigee-microgateway-bluemix

But with this approach health checks are also getting protected.

who uses the health-check URL, if the load balancer only then you don't need to put access token protection on top of this.

Thats correct, we don't need to put protection on healthchecks.

My question is how to achieve that in microgateway as all urls will be protected with oauth in gateway config.

Can we exclude specific urls, how to achieve this

If you have developed healthcheck on micro service then why are you access that from microgaterway. load balancer should be able to access the microservice endpoint without authentication. just think may be your problem is alfready resolved.

we are hitting microservice health check only not hitting via microgateway endpoint. Even though we hit microservice healthcheck endpoint directly, bluemix go router will route the request to microgateway internally first and does all the auth, quota etc for all urls that are on microservice.

So we want to exclude only health check

I am not sure if your microservice is independent then how bluemix framework is getting involved. you should check for segregation between bluemix and microservice. anyway, i do need to check further with your usecase if you can share some code which replicates the issue would be faster for me to debug this meanwhile we can check with @Dino-at-Google @Siddharth Barahalikar if they can help us here.