Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Don't allow direct calls to Microservices. Only allow through API Gateway

Tags:

Maybe this is a strange question (I'm new with Microservices). But I'm looking for some info on how proceed with this. Does not need to be Spring specific, but that's the framework I'm using at the moment.

Example: Lets say we have two Microservices

a) http://myurlfortesting.com:8085/api/rest/serviceone

b) http://myurlfortesting.com:8090/api/rest/servicetwo

and we have setup Spring Zuul (acting as the API Gateway) with the following rules that forward the incoming calls:

/rest/one -> http://myurlfortesting.com:8085/api/rest/serviceone

/rest/two -> http://myurlfortesting.com:8090/api/rest/servicetwo

The question... Is there a way to stop users from directly accessing the services mentioned in A and B (only allow the ones that come through the API Gateway)?

Can this be done with Springs Zuul (Acting as a API Gateway) by setting up some extra filters or do we set it up in Microservices endpoints?

Would even like to know if there is a way to not even processing the direct calls on the Microservices endpoints that don't come via the API Gateway.

Maybe this is solved with server specific rules and has nothing to do with Spring?

Many thanks,

/D

like image 706
Dimman Avatar asked Dec 21 '16 12:12

Dimman

2 Answers

Assuming that you have a firewall in place, you could restrict inbound traffic to server to the ports that your Zuul endpoints are exposed on and disallow anyone from accessing the microservices' ports directly.

If you want to avoid going the firewall route, you could force the endpoints to check for a specific HTTP header or something that is set by Zuul prior to forwarding a request, but that would be hacky and easy to circumvent. Based on my past experiences, the "right" way would be to do this via a firewall. Your app should be responsible for dealing with requests. Your firewall should be responsible for deciding who can hit specific endpoints.

like image 73
Riaan Nel Avatar answered Oct 20 '22 00:10

Riaan Nel

Generally, such kind of situation are handled by implementing proper OAuth server wherein only your API gateway will handle the token validation. Any direct call to microservice will not have proper token exchange and hence requests will be aborted.

In case, you have deployed your micro-services on any cloud then you can acheive this by exposing routes to only API gateway. And yes, firewall blocking, IP whitelisting are some of the other ways in restricting the access to your microservices.

like image 27
Ashish Avatar answered Oct 19 '22 23:10

Ashish
Sign in to Comment

Related questions

Is there a way to know if an Emoji is supported in iOS?
Three gray dots under variable names in Visual Studio
Mouseleave triggered by click
See / setup a user with MongoDB Compass?
Destructuring Variables Performance
input type datetime-local is not working in firefox
With guaranteed copy elision, why does the class need to be fully defined?
Action is unknown to this NavController
Buffered data was truncated after reaching the output size limit
How to read JSON file with fetch() in javascript?
C# generic method type argument not inferred from usage
How to obtain Jupyter Notebook's path?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!