API Gateway Editions
You can deploy API Gateway in two editions based on your license.
API Gateway: Standard Edition. This edition of
API Gateway offers only API protection.
API Gateway: Advanced Edition. This edition of
API Gateway offers both API protection and mediation capabilities.
API Gateway: Standard Edition key points: | API Gateway: Advanced Edition key points: |
Applicable mainly to on-premise deployments. Protects the API Gateway platform from the malicious attacks. For example, Denial of Service (DoS), Global DoS, Injection Attacks, and so on. Typically, this layer is just a gate keeper and no APIs can be deployed in the standard edition server. | Applicable to all the deployments. Provides security, mediation and other policy enforcements. For example, request-response transformation, conditional error processing, and so on. Typically, this layer hosts all the APIs and therefore, it is the main service virtualization layer delivering the intended business value. |
For more information about the capabilities available in the Standard and Advanced Editions of
API Gateway, see
API Gateway Standard and Advanced Editions Capability MatrixAPI Gateway Standard Edition vs Web Application Firewall
This section explains the need for API Gateway Standard Edition, in addition to other software that already exist for the DMZ security such as Web Application Firewall (WAF). API Gateway Standard Edition is required for the following reasons:
WAF serves a wider set of edge security concerns and its features vary across products.
API Gateway Standard Edition provides the necessary threat protection capabilities applicable in the context of exposing APIs to the external world. There may be an overlap of the features between the API Gateway and the WAF. However,
API Gateway Standard Edition is not a replacement for WAF.
If you already have a WAF arrangement in place, depending on the comprehensiveness of its capabilities, you may decide not to use the
API Gateway Standard Edition. In such a case, you might need to punch a hole in the inner firewall to allow the API Gateway-specific traffic, which is not optimal in comparison to the reverse invoke capability of the
API Gateway Standard Edition, which is considered more secure as you do not have to punch holes in the inner firewall.
Alternatively, you can combine WAF and
API Gateway Standard Edition to leverage the best of both the worlds.
Reverse Invoke in API Gateway
This section explains what is reverse invoke and how it works in API Gateway.
What is Reverse Invoke?
The reverse invoke flow is as follows:
1. External clients send the API requests to the API Gateway Standard Edition Server in the DMZ.
2. The API Gateway Standard Edition Server collects client information from each request and evaluates the request against any rules that is defined. Those requests, which do not violate a rule are passed to the API Gateway Advanced Edition server.
3. The API Gateway Advanced Edition server processes the requests and sends the responses to the API Gateway Standard Edition Server.
4. The API Gateway Standard Edition server then forwards the responses back to the client.
How does Reverse Invoke work?
1. API Gateway Standard Edition server uses an external port to listen to the API requests from external clients.
2. API Gateway Standard Edition server maintains its connection with the API Gateway Advanced Edition server through a “registration port”. For security purposes, the API Gateway Advanced Edition server initiates the outbound connections to the registration port.
3. By limiting the connections to just those established by the API Gateway Advanced Edition server, this arrangement makes it difficult for attackers to directly penetrate the internal network, even if they subvert a system in the DMZ.
4. For maximum benefit, Software AG highly recommends that you configure the inner firewall to deny all inbound connections. With this configuration, you isolate the servers on the corporate network from the DMZ. This capability is the main advantage of using API Gateway Standard Edition server over traditional third-party proxy servers.
Note:
The reverse invoke method is used in
Paired Deployment. For more information on paired deployment setup, see
Paired Deployment 
