Regardless of your deployment infrastructure, it is essential that you secure your API management platform. This section provides the guidelines to choose an API Gateway architecture based on your security requirements.

Typically, any on-premise deployment comprises two or more layers. The outer most layer, generally called the Demilitarized Zone (DMZ) protects the inner layer called the trusted zone or green zone against denial of service, SQL injection, and other malicious attacks. The trusted zone hosts services. For such a deployment architecture whose major concern is threat protection, you can implement the DMZ platform security using API Gateway Standard Edition.

DMZ platform security implemented using the API Gateway Standard Edition provides the following capabilities:

In addition to threat protection, if you require capabilities such as policy enforcement, request-response transformation, mediation, conditional error processing, and so on, choose the API Gateway Advanced Edition.

For more information about the two flavors of API Gateway, see API Gateway Editions.

Private cloud vendors follow cloud-native procedure such as Defense in Depth. Most vendors offer guidelines, but it might vary across providers. They implement combination of security measures such as networking filters, firewall rules, Web Application Firewall (WAF), and so on. As a result, most of the threats are mitigated, eliminating the need for API Gateway Standard Edition. However, you can add an additional layer of security by setting up an external port and threat protection policies directly on API Gateway Advanced Edition.