Best Design approach of Router Message Processor (Apigee On Premise) -Internal -External API isolation

As per link indicates Router (standalone) and Message Processor (standalone) what does standalone means ?

.

Understand that TLS need to be enabled between the Router and Message Processor to route request to Apigee backend.

What’s the right approach of designing isolation and maintaining internal and external API management in Apigee On Premise. Listing 3 Approaches (which Approach suites for situation handling both Internal and External API).

Approach 1: Using separate Router Message Processor in DMZ (for only Business partner consumption) and another Router Message inside internal firewall (for internal user consumption ).

i.e. exposing the external API using external R MP and exposing internal API using internal RMP.

Approach 2: Having both internal and external API publish in internal RMP only & managing the access of API only using internal RMP (and none of RMP in DMZ).

Approach 3: In case where there is restriction of placing both R & MP in DMZ (for exposing the external API) can we have only Router (R) in DMZ (which handles external API request) & Message Processor (MP) of external Router inside the internal firewall ? Is that correct design of RMP (responsible for handling external API). And placing internal API of RMP inside the firewall ?.

Understand that placing DB in DMZ will have security concerns but R & MP both in DMZ do trigger any security related issues/ impacts ?

Which approach is correct ? and which approach can be used for listed situation, overall need to handle both External and Internal API in best way through Apigee on premise version 4.19.x

Hopefully (Approach 1 or Approach 3) Vs Approach 2 is not taken based on cost factor, should be based on known best approaches ?

0 4 489
4 REPLIES 4

Routers and Message Processors are often deployed on the same server. The (standalone) configurations are deployments of one without the other.

Approach 1 is likely what you want here, but I'd suggest putting the RMPs in either separate organizations or separate environments so you can control which proxies are deployed internal / external / both.

@Christian King If I have a situation if R (Router) need to be in DMZ for external user and Message Processor inside Firewall (within Client network) due to security mandates which indicates only R will be in DMZ , will that have any impacts ?

As per link indicates following

************

A Message Processor keeps a dedicated connection pool open to Cassandra, which is configured to never timeout. When a firewall is between a Message Processor and Cassandra server, the firewall can time out the connection. However, the Message Processor is not designed to re-establish connections to Cassandra.

To prevent this situation, Apigee recommends that the Cassandra server, Message Processor, and Routers be in the same subnet so that a firewall is not involved in the deployment of these components.

***********

Based on above comments understand that, same is true between Router and Message processor communication as well (which is not documented clearly) like if situation, of having Firewall between Router and Message Processor then any time outs between the Message Processor will not be re -established because Message processor is not designed to re-establish such time out.

Isn't this the bug from Message processor which should be handled by Google ?

@AMAR DEVEGOWDA @Dino need your comments to understand more about MP