I'm using Azure API Management.
Since APIM does not provide built in WAF, i'd like to use app gateway in front of APIM.
According to the following article, it is possible.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
But some of my APIM are Not integrated with VNet or integrated VNet as external.
And i'd like to integrate those APIM with app gateway as well.
So is this possible scenario or Do i need to migrate existing APIMs to internal VNet?
Thanks a lot.
Advices or documentations.
As per the Microsoft documentation Backend Pools of Application Gateway can contain public ip address, so for your external APIM you can specify the public IP of the APIM, in you Application Gateway backend Pool.
But this doesn't make any sense, because now you are planning to use the application gateway and it supports a way to expose your APIs even if it is in internal vnet mode. As a security point of view it is better to move external APIM to internal mode.
If you want keep the external apim , then you have to find a way to restrict access to this external APIM only via application gateway, and all other direct access to APS should be blocked.
Related
We have a frontend and multiple backend applications(.Net applications) used internally in the company, and these applications had to be reachable from inside and outside using SSO with Azure AD as entity provider.
All communicatio from outside must be pass through Mulesoft API Gateway(We don't know if we have to use SAML/OAuth section in mulesoft).
We are wondering how we could implement all these staff using SSO.
Also backend APIs must be protected using SSO.
So, what is the best way to implement the solution ? Do we hav to use the SAML for backend API ? How mulesfot will handle ingress and egress flows ?
Users of ours running their code, on premise, access data we provide them via GCP's BigQuery API. It's a REST API with a client library wrapper.
We want to protect access to the BigQuery API backend with a firewall (in order to whitelist client IP's etc). What are the best options, preferably some GCP solution? Reading Google's documentation it's not clear if I can include the client's IP address in a GCP VPC, or if there's another way of doing it. Cloudflare also seems like an option, but I'd prefer to use a GCP offering.
So this is the case:
What we have:
We have a Service (webApp) in kubernetes API + Vue.js frontend hosted in AWS.
And we also have some Services (webApp) in Kubernetes API + React.js frontend hosted in GCP.
We are able to use same domain subdomains for each (like: a.domain.com and b.domain.com).
What we need:
We need to let the user think this 2 servers are only one.
The idea is that the user uses the same Username/password for both servers, but
the most immportant part is that he only needs to log in to one of this to be logged in the other automaticaly.
We have the parent domain in Google, and we prefer a solution that is implemented in GCP and the AWS server should just consume this auth method/config/etc.
Love to hear some ideas
If you have multiple replicas of the webApp frontend distributed in multi-cloud environments, you can use dynamic DNS and load balancing services like Cloudflare provides to distribute the access to your app frontend as explained here.
Then you need connect the multi-cloud VPCs and make accessible your backend to your multiple frontends.
You can use managed VPN services from both cloud providers to have an encrypted channel between VPCs in both cloud environments and to transfer data by using private IP addresses.
Google offers Cloud VPN as a managed VPN service for encrypted IPsec tunnels, which can be used on the Google end. AWS offers AWS Site-to-Site VPN and Azure offers Azure VPN gateway. You can connect your VPCs between the environments by using one or multiple VPN tunnels.
With that you can operate your webApp on multi cloud.
Clients that communicate against a single point of entry via an API Gateway over HTTPS against a RESTful API
API Gateway: API Keys for tracking and analytics, oAuth for API platform authentication
User Micro service provides user authentication and authorization, generates JWT that is signed and encrypted (JWS,JWE)
Other micro services determine permissions based on claims inside JWT
Micro services communicate internally via PUB/SUB using JWT in the message and other info. Each micro service could be scaled out with multiple instances (cluster with a load balancer).
Question: Can I cluster the the API Gateway and have the load balancer in front of it. What do I need to consider with respect to managing authentication? ie: sharing of API Keys across the API Gateway cluster?
Extra notes, I'm planning on terminating SSL at the gateway and the use of bcrypt for passwords in the db.
Any feedback would be great, thank you.
Can I cluster the the API Gateway and have the load balancer in front
of it.
Yes, you can. Most of the good Api Gateway solutions will provide the ability to do clustering. e.g. https://getkong.org/docs/0.9.x/clustering/ or you can use cloud based Api Gateway: Azure API Management or AWS API Gateway
What do I need to consider with respect to managing authentication?
These specifics depends on your selection of API Gateway solution.
I have several web services that I want to make available to clients. My clients are split into two groups:
users using a web browser (I serve a web page that uses javascript + AJAX to request data from the web services)
applications (e.g. server app pulling data into a client's system)
1) I can solve the former by exposing my web services to external users using the application server and I can use the identity server to authenticate access (haven't worked how to do this out yet).
2) The latter is nicely satisfied by using the API manager. I can happily tell clients to log in to the API manager and subscribe to APIs. The APIs I create are proxies for the web services mentioned in 1).
I know that an API I create in the API manager can include a username and password for accessing the proxied web service. Is it possible to let an API proxy a web service that is authenticated using the identity manager? Sorry I'm reading documentation and struggling to understand if I can do this. Thanks
". Is it possible to let an API proxy a web service that is
authenticated using the identity manager? "
Currently APIManager supports the service endpoints which are secured using basicauth/usernametoken.
If you use identityserver to secure you service, using any other mechanism, that wont be supported by APIManager.
Stodge,
Default API manager authentication mechanism is Oauth. it uses Oauth token mechanism to authenticate all APIs.
Please refer [1],
Here the authentication component also sits in the AM. This can be delegated to a different AM instance if required.
Hope this helps.
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs