Hi all,

I have a interesting requirement -- my organization has specific requirements w.r.t DMZ setup and proxy flow mechanism.

We have an approach to place Router and Message Processor in DMZ . There are two limitations --

FIRST : The MP in DMZ have to connect to application servers for which we need to end-up opening wildcard port from MP to Private network ( which is a no-go ). How do we remediate this?

Below document has the visual representation of the flow.

dmz-apigee.pdf

SECOND:

In Apigee documentation , "A Message Processor keeps a dedicated connection pool open to Cassandra, which is configured to never timeout. When a firewall is between a Message Processor and Cassandra server, the firewall can time out the connection. However, the Message Processor is not designed to re-establish connections to Cassandra.

To prevent this situation, Apigee recommends that the Cassandra server, Message Processor, and Routers be in the same subnet so that a firewall is not involved in the deployment of these components."

What would be the implication of it ? How do we remediate this ?

Here comes the interesting once my security folks want to see --

If we can design platform and proxy flow in such a way that -- all the validation of the policies occur at DMZ MP and forward it to Private network MP -- this private network MP would take care of request forwarding to Application servers on different ports for different hosts like in the attached document.

Is there a way we can have this achieved with less effort to on-boarding proxy and less cost?

Thank,

Latheef D

@Christin Brown @Dino-at-Google