Using API Proxy Endpoint as Apigee Alert Webhook: How to Limit Incoming Traffic ONLY to Apigee Alert System

skazemi
Participant I

Hello:

We are developing an API Monitoring Proxy on Apigee Edge that is designed to take in a JSON payload sent by the Alerts we have configured in Apigee and transform it into another payload to send to Service Now's Events API. We want to ensure that our API Monitoring Proxy only allows traffic from Apigee's Alert system and not from any other client.

Is there a recommended way of doing this? We have investigated IP Whitelisting, but it seems like the IP addresses used by Apigee Alerts are dynamic and not static.

Edit: We are already using an API key as a first line of defense, but we would like to add an additional layer of security.

1 2 201
2 REPLIES 2

@Sara Kazemi

How about adding an API Key in the URL (as query param) and then verify that in the actual call within the proxy. With this you can make sure its only coming from the alert system. You can rotate the API Key once in every 30 days or so as well to make sure its secure. The analytics should tell info of whose calling just in case if you are curious

The same is mentioned here as well. Please see the table in point 8

Oops! Forgot to mention that we are already indeed using an API Key as a first line of defense. The client for whom we are developing this would like an extra layer of security, however.