Automic Workload Automation

Hello,

My team is interested in utilizing the internal REST API to administer job execution via REST API's. As it stands, the endpoint is only exposed to distributed servers that the application engine is comprised of. What is recommended when it comes to exposing the REST endpoint? Currently, our firewall team can expose specific communication with the server where the REST endpoint lives, but that doesn't seem optimal. Would a proxy server be a possible solution? Is there a way to utilize the already exposed AWI server/endpoint to act as a proxy? 

I appreciate any clever insight on this!

Thanks,

Tamman Montanaro

Hi @Tamman Montanaro

please have a look in our documentation at

• Automic Automation Architecture https://docs.automic.com/documentation/webhelp/english/AA/24.1/DOCU/24.1/Automic%20Automation%20Guides/Content/_Common/Welcome/AWA/AWAArchitecture.htm
• Configuring Firewall and Ports https://docs.automic.com/documentation/webhelp/english/AA/24.1/DOCU/24.1/Automic%20Automation%20Guides/Content/_Common/Security/Security_Hardening_AEFirewallPorts.htm

In order to use the AE's REST endpoint the "client" must be able to access the configured port (Ports for REST process HTTP 8088 as defined in PORT). Of course, HTTPS can be configured to increase the security (see section REST at https://docs.automic.com/documentation/webhelp/english/AA/24.1/DOCU/24.1/Automic%20Automation%20Guides/Content/AWA/Admin/inifiles/admin_ini_automationengine.htm ). 

Michael

------------------------------
Michael K. Dolinek

Engineering Program Manager | Agile Operation Division
Broadcom Software
------------------------------

Original Message:
Sent: Aug 05, 2024 04:46 PM
From: Tamman Montanaro
Subject: Exposing REST API

Hello,

My team is interested in utilizing the internal REST API to administer job execution via REST API's. As it stands, the endpoint is only exposed to distributed servers that the application engine is comprised of. What is recommended when it comes to exposing the REST endpoint? Currently, our firewall team can expose specific communication with the server where the REST endpoint lives, but that doesn't seem optimal. Would a proxy server be a possible solution? Is there a way to utilize the already exposed AWI server/endpoint to act as a proxy? 

I appreciate any clever insight on this!

Thanks,

Tamman Montanaro

Hi,
Some time ago I shared here one idea how to secure the REST API using a reverse proxy: 
Automic Workload Automation

There is also a Video ( in German ) exploring the idea a little bit further: 
Automic REST API Verwendung mit NGINX einschränken

YouTube		remove preview
Automic REST API Verwendung mit NGINX einschränken Dieses Video ist eine Einführung in das Thema REST API Verwendung einschränken. Wir konfigurieren gemeinsam die ersten NGINX Regeln für die Automic Web Application Firewall. Die Designer wissen schon Bescheid, dass der Zugriff möglicherweise unbeschränkt ist, also beeilen wir uns! Dieses Video ist Bestandteil von PEM, der größten deutschsprachigen Automic-Lernplattform. View this on YouTube >

It works quite reliable. But nginx is of course one of the possible ways. 

Cheers,

Marcin

------------------------------
Cheers,
Marcin
------------------------------

Original Message:
Sent: Aug 05, 2024 04:46 PM
From: Tamman Montanaro
Subject: Exposing REST API

Hello,

My team is interested in utilizing the internal REST API to administer job execution via REST API's. As it stands, the endpoint is only exposed to distributed servers that the application engine is comprised of. What is recommended when it comes to exposing the REST endpoint? Currently, our firewall team can expose specific communication with the server where the REST endpoint lives, but that doesn't seem optimal. Would a proxy server be a possible solution? Is there a way to utilize the already exposed AWI server/endpoint to act as a proxy? 

I appreciate any clever insight on this!

Thanks,

Tamman Montanaro