I want to use first deployment in this link (active/active all-in-one). But the question is here that can I add one all-in-one APIM in DMZ zone or not? I want to use this deployment pattern that cited in the link for my internal APIs and the APIM (all-in-one API) I want to add in DMZ zone for external consumer and APIs. Especially without any Gateway component, Because If I want to use Gateway component I can use deployment pattern 4 (Internal/External API Gateway Separation), but pattern number 4 is so complicated for my usage of APIM. So Can I have deployment pattern number 4 (Internal/External API Gateway Separation) with component design of pattern number 1 (active-active all-in-one)??(no separation and no Gateway)
Asked
Active
Viewed 92 times
2 Answers
0
Under deployment patterns I believe you refer these https://docs.wso2.com/display/AM250/Deployment+Patterns
can I add one all-in-one APIM in DMZ zone or not?
Nothing prevents you to do so.
Now the question is - do you want to have a completely separated APIM environment in DMZ? Do you plan to separate users, database, throttling, key management ... too? It's all fine. Then just have a separate environment in DMZ.
If you want to centrally manage APIs, users, keys, etc then you can configure the DMZ instance to use internal KM, TM, and analytics. And effectively you will get pattern 4. For KM and TM - you don't need to install separate instances (as described in the pattern). You can use the same "all-in-one" instance from the internal network.
Especially without any Gateway component,
The "all-in-one" APIM contains the Gateway component. Effectively the Gateway component is full APIM installation, just have disabled some management modules providing a profile parameter. From the installation point there's no different between installing full APIM or gateway.
gusto2
- 11,210
- 2
- 17
- 36
-
Thanks for your complete answer. Till now I just have my own internal user so I was using pattern 1. Now I am going to have some external user with their desired API, especially with same database. So I was thinking for keeping security and safe of my internal API from external, it's better I use another zone for external. And the idea in my first question was created. I know pattern 4 is the best, but I need simplicity. Pattern 4 is complicated and I think don't really need to separate component. Now what's your suggestion please? – N.Abdolalizadeh Oct 27 '18 at 05:27
0
There is a risk if you deploy all in one APIM in DMZ. This is because APIM nodes are connected to databases. I would recommend deploying a load balancer in DMZ and front APIM nodes which are deployed in LAN.
Pubci
- 3,834
- 1
- 13
- 28
-
Thanks for answering, actually I want an active-active with all-in-one APIM in LAN for my internal users and an all-in-one APIM in another zone for my external user.But for both I use same database. – N.Abdolalizadeh Oct 27 '18 at 05:17