I deployed Kong with the OAUTH2 Plugin successfully in front of one of my API’s.
The thing is, I can still directly do requests against my API endpoint without going through the api-gateway which should not be the case, as all requests should be routed via Kong.
How can I tell the API that a direct request is not a valid one - that the requests has to be sent to Kong?
Something like this perhaps ?
Sounds like you need to adjust your network settings. Only the Kong API gateway should be accessible by your clients. The upstream server should be accessible only by the Kong API gateway.
Thank you Jeremy - I will take a look into it tomorrow!
@Cooper Yes that I what I thought - otherwise there would be no sense. Would this that I for example block specific URIs and Ports from the APIs so that only access via Kong is feasible? E.g. using iptables?
By the way, every of my API listens to a different Port, is this best practice with Kong? Or should they all listen to one and the same?