Search code examples
wso2wso2-api-managerwso2-cloudwso2-identity-server

wso2 api manager how to protect backend apis

I am moving to WSO2 API Manager cloud. I have hosted my backend API's and wso2 API Manager in AWS myself. The access to backend API's were limited only to WSO2 API Manager EC2 Mahcine's IP. So that every request will have to go through WSO2 Machine.

How to achieve the same when using WSO2 Cloud?What is the ideal way to protect my Back End API's? OR is there a recommended approach for protecting backend API's? May be check for some token in the backend code to see if request comes via WSO2 API Mananger?

Solution

  • You have the following options available in the cloud.

    1. You can still do IP whitelisting. You can request for the IPs to be whitelisted from the cloud support channel.
    2. You can do mutual ssl with API cloud and your backend
    3. As you have mentioned, you can send a custom header with a secret value set from the API Cloud and check for it from your backend
    4. You can also have the API cloud to send a basic auth to your backend

    https://docs.wso2.com/display/APICloud/Secure+your+Backend+Services