Layer7 API Management

Expand all | Collapse all

Questions about hybrid implementation

  • 1.  Questions about hybrid implementation

    Posted 12-15-2017 06:26 AM

    Hi community,
    one of our Customer is going to adopt a hybrid implementation of CA API Managment SaaS (with the API Portal SaaS and the API Gateway on-premises).

    The on-premises API Gateway will be exposed to internet using a reverse proxy (acting as load balancer too). The reverse proxy/load balancer will be in a DMZ network and therefore behind a firewall. Considering the scenarion just described I have a couple of question about.

    • Q1. Can the communication between API Portal SaaS and API Gateway on-premises occur through the reverse proxy/load balancer or must exists a "direct channel" between API Portal SaaS and API Gateway on-premises?
    • Q2. I know that in a deployment without API Portal the reverse proxy/load balancer exposing the API Gateway can be configured to porform "port translation" (i.e. reverse proxy/load balancer will expose port 443 and it will forward the traffic to API Gateway on-premises on port 8443). Is this configuration "supported" for a deployment with API Portal SaaS too?
    • Q3. In order to implement the proper firewall rules which ports will be used in the communication between API Portal SaaS and API Gateway on-premises?

     

    Thanks in advance,
    Daniele



  • 2.  Re: Questions about hybrid implementation

    Posted 12-17-2018 02:13 PM

    Daniele,

     

    Good morning. In response to your questions, I've posted through some responses.

     

    Q1. Can the communication between API Portal SaaS and API Gateway on-premises occur through the reverse proxy/load balancer or must exists a "direct channel" between API Portal SaaS and API Gateway on-premises?


    Response: The communication between the API Portal and Gateway has 2 different flows. One flow is for synchronization of services, fragments, etc where by the Gateway will initiate the call to the API Portal so a pull model. The gateway will need to use Client Mutual to communicate with the Portal so you are not able to terminate the connection between the Gateway and the portal. The other flow is for the API Explorer usage in the Portal which only requires SSL to the Gateway but can be terminated prior to the Gateway. The only piece is that the VIP name being used matches the SSL certificate on the termination point to avoid CORS issues.

     

    Q2. I know that in a deployment without API Portal the reverse proxy/load balancer exposing the API Gateway can be configured to porform "port translation" (i.e. reverse proxy/load balancer will expose port 443 and it will forward the traffic to API Gateway on-premises on port 8443). Is this configuration "supported" for a deployment with API Portal SaaS too?


    Response: Yes it is supported.

     

    Q3. In order to implement the proper firewall rules which ports will be used in the communication between API Portal SaaS and API Gateway on-premises?


    Response: Default HTTPS port 443 can be used for all inbound and outbound communication.

     

    Sincerely,


    Stephen Hughes
    Broadcom Support