I have a basic question on how Layer-7 API management product works. I believe all API URLs are protected in Layer-7 and all API requests goes through layer-7 gateway which authenticates the caller and forward the requests to API hosting server (based on URI/URL) which returns API response back to caller via gateway. Do we need to install any layer-7 plug-in or library on API hosting server ? How do we protect if some one call API directing by invoking hosting server (bypass layer-7 gateway) by setting required headers ? Basically, how does API hosting server ensure that request came via layer-7 ?
The gateway does not require an agent or library to be installed on the back-end servers. The Gateway is meant to have requests forwarded through to process, validate, etc against. This is normally controlled by isolating the back-end environment from direct traffic both from external or internal sources. If this is not feasible then depending on the back-end technology, you can setup redirect rules or outright denial of access based on the client IP address accessing it, and/or using client mutual authentication that only the Gateway has the private key for and the back-end trusts.
Director, CA Support