1

I want to expose some APIs in Bluemix from my datacenter using API Connect and the Secure Gateway, but I need that just API Connect can call this APIs because I am going to secure them with this service. I have been trying to do this with the IP tables configuration of the Secure Gateway Destinantion, but I do not know the IP address that makes the calls to the other APIs, is there any way to do this?

Pipe Flórez
  • 13
  • 4
  • Secure Gateway has an API to determine and manage those addresses dynamically. You should also look into using tokens, so that only the intended parties are able to use the communication channel. Could you add details to your question? – data_henrik Aug 05 '16 at 10:20
  • I have coded up a tutorial for a database scenario, not API Connect, but it might help https://github.com/data-henrik/Bluemix-onprem-data – data_henrik Aug 05 '16 at 10:21
  • I was able to create the ip table rules dynamically using the API of the Secure Gateway, but my problem is that I do not know the IP Address of the API Connect when it makes the call to the backend services. – Pipe Flórez Aug 05 '16 at 16:10

1 Answers1

0

You are looking for the IPs of the API Gateway that actually handles each API call. However, this is not a good mechanism for access control, as those IPs may change at any time.

Instead, why not enable Mutual TLS on your destination, then just upload the cert and key to a TLS profile within API Connect? Applying that profile to your policy assembly will effectively limit access to the Secure Gateway.

Matt Hamann
  • 1,488
  • 12
  • 24
  • Thanks, do you have a link with how to do this? doing this, will the Gateway client accept connections just from API Connect, I do not want third parties or other apps calling my exposed Backend services. – Pipe Flórez Aug 05 '16 at 16:07
  • You'll likely need to refer to two doc pages. Here: https://console.ng.bluemix.net/docs/services/SecureGateway/sg_023.html#sg_007 and here http://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.apionprem.doc/task_apionprem_ssl.html. Basically, create your SG destination w/ HTTPS: Mutual TLS, then download the key + cert and upload it into API Connect's TLS profile section (via that second link). – Matt Hamann Aug 05 '16 at 17:43