I have a public Bluemix CF APP which exposes a REST Service. I would like to have the option, that the public url bound to the CFApp would be inaccessible from outside. The REST Service itself should only be usable from other CF Apps in my org, for example over API Management. I don't want to implement an own security mechanism for it, because API Management provides already everything I need to control, which clients will access my service. So some kind of private route inside Bluemix public, only available to runtimes and services in my Bluemix organisation.
This is not currently possible with IBM Bluemix, due to limitations in Cloud Foundry.
All bound routes are accessible from the external network.
If you want to have a private API exposed, you have the following options.
Add authentication to the REST API, managing the credentials as a user-provided service bound to all the apps. The API will be accessible externally but only by users with the credentials.
Use an application service, like a message queue, to expose an internal RPC-style API. Applications can bind to the same service and it will only be accessible internally.
Related
So I am trying to make Google cloud's API gateway serve requests from a private IP based backend. Currently, the backend is a Kubernetes based service. However, I couldn't find it explicitly being mentioned whether its possible or not.
Has anyone else encountered such an issue given that its a pretty common use case? It seems possible only when the API gateway infrastructure has a link to the VPC network(route table) or an explicit private connection.
After looking for a while I think that the best way to do what you are asking is to use Private service connect, this allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations and also lets you connect to service producers using endpoints with internal IP addresses in your VPC network.
Here is a guide of how to use Private Service Connect to access Google APIs.
the Google API gateways exist only for serverless product and is intended to be use only against serverless backends(s). It is possible to configure it against public IP’s that are hosted on our Google backends because they leverage the same x-google-backend configuration key-value pairs in the openapi.yaml for API Gateway, but more niche features like authorization on behalf of backend services, or limiting access to backed services hosted on non-serverless platforms like GKE are currently not supported. a possible workaround could be to set up endpoints directly with your GKE cluster you, this documentation could help you first, second, third
Best regards.
Most of the document I found about GCP, the REST API needs a user interaction for authentication. Is there a possible way to access the GCP resource without an interaction from user.?
eg: I would like to implement a cron job in my local workstation to launch a GCP machine.
Yes, it's possible, this is that service accounts are for:
A service account is a Google account that represents an
application, as opposed to representing an end user.
Important: For almost all cases, whether you are developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys. You can use a service
account by providing its private key to your application, or by using
the built-in service accounts available when running on Google Cloud
Functions, Google App Engine, Google Compute Engine, or Google
Kubernetes Engine.
All GCP APIs support service accounts. For most server applications
that need to communicate with GCP APIs, we recommend using service
accounts, as they are the most widely-supported and flexible way to
authenticate.
For more information, see getting started with authentication.
You'd have to create a service account representing your application (executed as the cron job) and in your application you'd authenticate the REST API calls using that service account's credentials.
When trying to binding any Bluemix apps to a pre-configured Secure Gateway service, the Secure Gateway is not in the list of services which can be bound to apps. Is there a different way to bind a nodejs app to a Secure Gateway instance?
Applications can no longer be bound to the Secure Gateway service. Binding was possible in previous versions but provided no additional functionality to the application.
To have your application use the connectivity provided by Secure Gateway, your application simply needs to call the cloud host:port provided by your destination.
I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo
Here is usecase:
I have two apps in Bluemix: app1 and app2
app1 is accessible through the internet using its route (e.g. app1.mybluemix.net)
app2 doesn't have any route to prevent from being accessible through the internet.
app2 may expose a REST API.
How do I call app2 from app1 inside Bluemix?
An example of communicating to an application without a route is implemented in this Microservice Shipping sample.
This is an EJB Liberty application that runs on Bluemix without a route and subscribes to the Bluemix MQ Light service. The sender of the messages is the Microservice Orders sample application, which binds to the same MQ Light service.
Going the REST API route will mean you must have an externally accessible route. However, you could secure it using keys and tokens.
It would be easier to use one of the services in Bluemix as an "RPC" layer between the two applications. You could use one of the queue services (MQLight, RabbitMQ) or Redis to pass messages between the applications to execute commands.
These service bindings are internal and won't be exposed externally unlike the REST API.
Alternatively, you could expose the REST API from App2 and use authentication to control access.
There are two ways you can prevent access.
Put your microservice inside a Bluemix Container and utilize private IPs https://new-console.ng.bluemix.net/docs/containers/container_security_network.html#container_cli_ips_byoip
Use API Connect as a API Gateway/proxy to the private IP being in your container microservice.
Use Bluemix Dedicated to deploy app2. Bluemix dedicated provides firewall capabilities and you could set it up so that it only accepts requests from app1's IP address.
Use Bluemix Local when it becomes available with the same approach where you use your corporate firewall to only accept requests that come from your App1 IP Address. This is an expensive alternative compared to a public PAAS.
Use the API Connect Service which replaced the API Management Service to:
Specify what users can access your apis
Specify the number of requests per day or other unit of time
Provides a API Gateway to securely call the other service App2.
I expect at some point a software network defined solution will be considered as part of the offering.