WSO2 API Manager - Exposing services to third parties

Question

We have architecture pattern (Layered DMZ) where: 1. External facing applications are deployed in 3 layered DMZ (DMZ1 for Web Server, DMZ2 for App Server and DMZ3 for Database server) 2. We do not allow DMZ1 directly talking to LAN, however DMZ2, DMZ3 can talk to LAN

WSO2 API Manager will be installed in LAN, the issue is how do we expose services from LAN API store to external world. Which design pattern is best suited for this? I have couple of options

Option 1: Deploy another instance of API Manager in DMZ1 which 3rd party can access Deploy set of services in DMZ1 API Manager only for 3rd party access Have reverse proxy in DMZ2 which talks to LAN server

Option2: Single instance of API Manager deployed in LAN Reverse proxy in DMZ1 Forward proxy in DMZ2 (which currently we do not have) Forward proxy talks to LAN

I remember IBM has virtual/physical Datapower appliance which acts as ab external API gateway, how do we achieve similar design pattern with WSO2?

Many thanks in advance

Answer 1

WSO2 API Manager will be installed in LAN, the issue is how do we expose services from LAN API store to external world

WSO2 API Manager has a component API Gateway. Actually todays there are two ways to do that

1. Use API Gateway

API Gatway is an instance of API Manager with parameters specifying, that the instance is a gateway, so other modules (key manager, store, publisher) are disabled or not used

We use API Gateway in DMZ. This instace will authenticate and authorize the calling clients. However, the gateway still needs to call KeyManager web services for token validation and the publisher needs to call gateway for API deployment

(KeyManager and publisher are the services in the APIM in LAN)

2. Using API Micro Gateway

Needs to be deployed as individual modules and are able to validate client's tokens (jwt tokens) even without any connection to the LAN instance

Note: When not using static api keys, but OAuth authentication, then you need to expose a route to the token and revoke service

Resources:

• https://docs.wso2.com/m/mobile.action#page/97564467
• https://apim.docs.wso2.com/en/latest/Learn/APIGateway/overview-of-the-api-gateway/
• https://wso2.com/api-management/api-microgateway/

Answer 2

There are several common deployment patterns recommended by WSO2 for API Manager which can be found below. https://docs.wso2.com/display/AM260/Deployment+Patterns#DeploymentPatterns-WSO2APIManagerdeploymentpatterns

You can go for pattern #4 or #5. Pattern #5 will keep your total cost down in terms of license fee and infrastructure fee.