Hi all,
I have a interesting requirement -- my organization has specific requirements w.r.t DMZ setup and proxy flow mechanism.
We have an approach to place Router and Message Processor in DMZ . There are two limitations --
FIRST : The MP in DMZ have to connect to application servers for which we need to end-up opening wildcard port from MP to Private network ( which is a no-go ). How do we remediate this?
Below document has the visual representation of the flow.
SECOND:
In Apigee documentation , "A Message Processor keeps a dedicated connection pool open to Cassandra, which is configured to never timeout. When a firewall is between a Message Processor and Cassandra server, the firewall can time out the connection. However, the Message Processor is not designed to re-establish connections to Cassandra.
To prevent this situation, Apigee recommends that the Cassandra server, Message Processor, and Routers be in the same subnet so that a firewall is not involved in the deployment of these components."
What would be the implication of it ? How do we remediate this ?
Here comes the interesting once my security folks want to see --
If we can design platform and proxy flow in such a way that -- all the validation of the policies occur at DMZ MP and forward it to Private network MP -- this private network MP would take care of request forwarding to Application servers on different ports for different hosts like in the attached document.
Is there a way we can have this achieved with less effort to on-boarding proxy and less cost?
Thank,
Latheef D
@Christin Brown @Dino-at-Google
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |