API Gateway w/WebAPI endpoint on the same user bridge network. WebAPI need SSL?

Question

If I have an api gateway in a docker container that communicates with a second webapi docker container on the same user bridge network, would there be any reason to configure ssl between the api gateway and the docker container?

Is it 100% safe to only use port 80 between the webapi and the api gateway?

Clients connect to the api gateway over ssl, so do you have to continue ssl all the way to the webapi for some reason?

Assuming I don't need SSL: if from the webapi I want to read some custom claims off of an OAUTH2 access token, does this change things?

The reason I'm asking is because I've setup an Ocelot api gateway and webapi and they communicate fine over http but I can't get them to communicate over the webapi's ssl endpoint but I won't worry about it if it doesn't matter.

score 1 · Answer 1 · answered Oct 09 '18 at 14:30

With further reading I see that this is the purpose of having your API gateway act as a SSL termination endpoint and that no, you don't need to encrypt data between the gateway and the micro services assuming they are in the same data center and trusted. This also relieves your endpoints have having to deal with additional processing of SSL. See this article on this discussion that closely resembles mine.

API Gateway w/WebAPI endpoint on the same user bridge network. WebAPI need SSL?

1 Answers1