[API Exposure] API Exposure

Forge Component
(3)
Published on 15 Feb by Guilherme Pereira
3 votes
Published on 15 Feb by Guilherme Pereira

At OutSystems digital team we've strategically decided in the past that as part of our Microservices strategy our public facing and most critical APIs should be deployed behind an API Gateway in order to increase the level of security and reliability of those APIs.

We've selected the Amazon AWS API Gateway as the gateway to use and after a few manual deployments we've reached the conclusion that the work necessary to deploy an API behind the API gateway is not only repetitive as it is error prone if done completely manual.

So we decided to invest in the creation of a tool that leverages the Amazon AWS API Gateway Connector as well as a Customized version of Swagger parser to allow the quick deployment of our OutSystems REST APIs behind the AWS API Gateway.

After speaking with a few partners and customers and be present in a great talk by one of our customers during the OutSystems Worldwide Developer Conference it was evident that this kind of solution is something that has the potential to be reused by our customers and partners so we've decided to release a cleaned version without dependencies to our internal applications.

Once again this component is NOT SUPPORTED BY OUTSYSTEMS.

Hello 

Does this mean that the REST APIs exposed by OutSystems  will not be accessible directly ?

Is so, how is this achieved ?

Regards

Amal 

Hi Amal,

This component does not prevent the API from being accessed directly.

There's a couple of ways you can do that. The first one is at network level by configuring your servers to only accept requests from the APIGateway and block everything else.

The other option is for you to control that at API level and although you cannot prevent it from being called you can validate if the request comes from the APIGateway by validating if it receives the header x-amzn-apigateway-api-id and if the id matches the id of the API on the API Gateway and also validate if the user agent of the request is something like AmazonAPIGateway_XXXX where XXX is the id of your API.

Something like:

Hope this helps

Guilherme

Guilherme Pereira wrote:

Hi Amal,

This component does not prevent the API from being accessed directly.

There's a couple of ways you can do that. The first one is at network level by configuring your servers to only accept requests from the APIGateway and block everything else.

The other option is for you to control that at API level and although you cannot prevent it from being called you can validate if the request comes from the APIGateway by validating if it receives the header x-amzn-apigateway-api-id and if the id matches the id of the API on the API Gateway and also validate if the user agent of the request is something like AmazonAPIGateway_XXXX where XXX is the id of your API.

Something like:

Hope this helps

Guilherme

Hello Guilherme,

Thank you very much for the quick and detailed response. 

It definitely helps. 


Best Regards

Amal