Security Considerations
Regardless of your deployment infrastructure, it is essential that you secure your API management platform. This section provides the guidelines to choose an API Gateway architecture based on your security requirements.
On-premise Deployments
Typically, any on-premise deployment comprises two or more layers. The outer most layer, generally called the Demilitarized Zone (DMZ) protects the inner layer called the trusted zone or green zone against denial of service, SQL injection, and other malicious attacks. The trusted zone hosts services. For such a deployment architecture whose major concern is threat protection, you can implement the DMZ platform security using API Gateway Standard Edition.
DMZ platform security implemented using the API Gateway Standard Edition provides the following capabilities:
Protects the API Management platform from malicious attacks such as Denial of Service (DoS).
Protects the APIs from common web vulnerabilities, such as SQL,or JSON injection attacks, and so on.
Boosts the API security by restricting the attackers from sending malicious payloads. For example, large payloads, nested convoluted data structures, and so on.
Scans the attachments that are part of APIs by integrating with the enterprise anti-virus software through a standard protocol (ICAP).
In addition to threat protection, if you require capabilities such as policy enforcement, request-response transformation, mediation, conditional error processing, and so on, choose the API Gateway Advanced Edition.
For more information about the two flavors of
API Gateway, see
API Gateway Editions.
Note:
The
API Gateway Standard Edition is meant for threat protection only and not for deploying APIs.
Cloud Deployments
Private cloud vendors follow cloud-native procedure such as Defense in Depth. Most vendors offer guidelines, but it might vary across providers. They implement combination of security measures such as networking filters, firewall rules, Web Application Firewall (WAF), and so on. As a result, most of the threats are mitigated, eliminating the need for API Gateway Standard Edition. However, you can add an additional layer of security by setting up an external port and threat protection policies directly on API Gateway Advanced Edition.