Paired Deployment

Reverse invoke deployment allows you to securely expose your API end points without exposing the backend APIs or services. You can configure reverse invoke by initiating a connection from the backend servers of the API Gateway present in the demilitarized zone (DMZ).

In a normal configuration, your API Gateway accepts requests directly from the clients in DMZ zone which can cause network security issues. With reverse invoke setup, an additional API Gateway is used to enhance security. The additional API Gateway is placed in the insecure DMZ and the actual API Gateway that interacts with the native services, resides in the more secure green zone.

In a reverse invoke deployment scenario, the external clients send requests to the DMZ API Gateway. These requests are received by the external port of the DMZ API Gateway and forwarded to the registration port. The green zone API Gateway interacts with the registration port and receives the requests, processes the requests through the native service and sends back the responses to the registration port of the DMZ API Gateway. The responses are then forwarded to the external port of DMZ API Gateway and from there to the external clients.

If a request is made to the external port and if the API is not available, the request is delegated to the registration port. The listener port configured on the green zone API Gateway listens to the registration port and picks up this request (reverse invoke), processes it, and then sends back the response to the DMZ API Gateway.

If a request is made to the external port and if the API exists locally, the DMZ API Gateway processes the request.

The registration port and the external port operate independently. If you define the registration port with the HTTP protocol, you can still configure the external port with the HTTPS protocol.