API Gateway Deployment Scenarios
API Gateway enforces threat protection, policies and routing capabilities for APIs. This section describes high-level API Gateway architecture for various deployment scenarios.
Deployment scenario 1: Paired gateway deployment
This setup consists of:
One or more standard edition
API Gateways for threat protection and connected to a load balancer in DMZ.
One or more advanced version
API Gateways clustered in the green zone to enforce policies and provide routing capabilities. You can have multiple instances of
API Gateways connected through a load balancer and clustered using Terracotta Server Array. You can add an extra layer of protection by using reverse invoke. To learn more about reverse invoke, see
Reverse Invoke Configuration in
API Gateway.
A firewall protects the API Gateway infrastructure in the paired deployment. You can add an extra layer of protection by using reverse invoke. The API Gateways communicate between the zones using the reverse invoke approach.
The following diagram provides an architectural overview of the paired gateway deployment:
In a typical paired deployment scenario (2 API Gateways connected through Reverse Invoke), you have a standard edition API Gateway in DMZ and advanced edition API Gateway in green zone. But there are cases when you have both the DMZ API Gateway and green zone API Gateway are advanced editions. In such a setup, in most of the cases, the customer's APIs are deployed in the green zone and the requests to the API Gateway's internal APIs like pub/apigateway/oauth2/getAccessToken, /pub/apigateway/oauth2/authorize etc must be processed in the green zone API Gateway. Hence the property forwardInternalAPIsRequest must be set in the DMZ API Gateway as true so that the DMZ API Gateway simply forwards the requests to internal APIs to the API Gateway in the green zone. To learn more about the list of services to be exposed for API communication, see the API Gateway services to be exposed for API Portal and client communication section of the webMethods API Gateway User's Guide.
Note:
Software AG recommends you to not cluster the Standard Edition API Gateways in a DMZ in a paired deployment setup.
To learn how to configure threat protection and invoke an API using REST API, read the
API Gateway standard edition in DMZ & API Gateway advanced edition in Green zone section from the
Threat protection in API Gateway article.
Deployment scenario 2: API Gateway in the DMZ with reverse invoke configuration
This setup consists of:
One or more advanced edition
API Gateways clustered and connected to a load balancer in DMZ. You can have multiple instances of
API Gateways connected through a load balancer and clustered using Terracotta Server Array. A single
API Gateway is used for enforcing authentication and routing capabilities.
The ESB services in
Integration Server reside in the green zone behind the firewall.
If you use reverse invoke for communication between
API Gateway and the internal ESB, ensure that the endpoint in the routing policy applied is configured as apigateway://
registrationPort-aliasname/
relative path of the service. For more information on ports and routing policies, see
Ports and
Routing.
The following diagram provides an architectural overview of the API Gateway deployment in a DMZ for webMethods customers:
Deployment scenario 3: API Gateway with a Load Balancer in the DMZ
This setup consists of:
One or more advanced edition
API Gateways clustered and connected to a load balancer in DMZ. A single
API Gateway is used for enforcing all policies or rules. You can have multiple instances of
API Gateways connected through a load balancer and clustered using Terracotta Server Array.
The native services reside in the green zone behind the firewall. As the native services are directly invoked, you must open the native service port to the gateway network.
The following diagram provides an architectural overview of the API Gateway deployment in the green zone for webMethods customers:
Deployment scenario 4: API Gateway in the green zone with a Load Balancer in the DMZ
This setup consists of:
One or more advanced edition
API Gateways clustered in the green zone and connected to a load balancer in DMZ. A single
API Gateway is used for enforcing authentication and routing capabilities. This deployment does not require threat protection. However, you can configure and enforce threat protection, if required. You can have multiple instances of
API Gateways connected through a load balancer and clustered using Terracotta Server Array.
The following diagram provides an architectural overview of the API Gateway deployment for non webMethods customers: