When deployed to production, our .net core APIs will sit behind an IBM DataPower reverse-proxy, performing authentication; SSL/TLS termination; caching etc.
Do we need to use IIS in this setup?
The service should be HTTPS as the DataPower server will re-authenticate with the service (with a DIFFERENT set of credentials)
Can (or should) I avoid using IIS in this setup?
From the docs on Kestrel:
If you expose your application to the Internet, you must use IIS, Nginx, or Apache as a reverse proxy server. A reverse proxy server receives HTTP requests from the Internet and forwards them to Kestrel after some preliminary handling.
I would suggest that they know these products well enough to recommend them but other reverse proxy servers such as IBM DataPower would do just as well. So you are more than welcome to avoid IIS completely.
Also, this is why you should not use Kestrel directly connected to the Internet:
A reverse proxy is required for edge deployments (exposed to traffic from the Internet) for security reasons. Kestrel is relatively new and does not yet have a full complement of defenses against attacks. This includes but isn't limited to appropriate timeouts, size limits, and concurrent connection limits.
It's worth noting that a lot of work is being done on Kestrel right now and in version 2 they may change this recommendation, though I suspect that might be a little premature.