Daniele,
Good morning. In response to your questions, I've posted through some responses.
Q1. Can the communication between API Portal SaaS and API Gateway on-premises occur through the reverse proxy/load balancer or must exists a "direct channel" between API Portal SaaS and API Gateway on-premises?
Response: The communication between the API Portal and Gateway has 2 different flows. One flow is for synchronization of services, fragments, etc where by the Gateway will initiate the call to the API Portal so a pull model. The gateway will need to use Client Mutual to communicate with the Portal so you are not able to terminate the connection between the Gateway and the portal. The other flow is for the API Explorer usage in the Portal which only requires SSL to the Gateway but can be terminated prior to the Gateway. The only piece is that the VIP name being used matches the SSL certificate on the termination point to avoid CORS issues.
Q2. I know that in a deployment without API Portal the reverse proxy/load balancer exposing the API Gateway can be configured to porform "port translation" (i.e. reverse proxy/load balancer will expose port 443 and it will forward the traffic to API Gateway on-premises on port 8443). Is this configuration "supported" for a deployment with API Portal SaaS too?
Response: Yes it is supported.
Q3. In order to implement the proper firewall rules which ports will be used in the communication between API Portal SaaS and API Gateway on-premises?
Response: Default HTTPS port 443 can be used for all inbound and outbound communication.
Sincerely,
Stephen Hughes
Broadcom Support