Search code examples
apisecuritymicroservicesapi-gateway

Security considerations for API Gateway clustering?

enter image description here

  1. Clients that communicate against a single point of entry via an API Gateway over HTTPS against a RESTful API
  2. API Gateway: API Keys for tracking and analytics, oAuth for API platform authentication
  3. User Micro service provides user authentication and authorization, generates JWT that is signed and encrypted (JWS,JWE)
  4. Other micro services determine permissions based on claims inside JWT
  5. Micro services communicate internally via PUB/SUB using JWT in the message and other info. Each micro service could be scaled out with multiple instances (cluster with a load balancer).

Question: Can I cluster the the API Gateway and have the load balancer in front of it. What do I need to consider with respect to managing authentication? ie: sharing of API Keys across the API Gateway cluster?

Extra notes, I'm planning on terminating SSL at the gateway and the use of bcrypt for passwords in the db.

Any feedback would be great, thank you.

Solution

  • Can I cluster the the API Gateway and have the load balancer in front of it.

    Yes, you can. Most of the good Api Gateway solutions will provide the ability to do clustering. e.g. https://getkong.org/docs/0.9.x/clustering/ or you can use cloud based Api Gateway: Azure API Management or AWS API Gateway

    What do I need to consider with respect to managing authentication?

    These specifics depends on your selection of API Gateway solution.