How to ensure Upstream API endpoint only invoked through KONG

I have query if KONG is API gateway/management tool where we configure all our upstream service endpoints. How do we ensure request reaching to upstream service endpoint is only coming via KONG, what is stopping any consumer to directly hit upstream service endpoint bypassing KONG?
Specifically we use Open ID Connect protocol to secure our REST APIs, API endpoints expects JWT token issued by ODIC provider (PING in our case), how do we validate at API endpoint level if request really coming from KONG as JWT alone does not imply same.
Should there be client certificate validation enabled during SSL handshake between KONG and upstream service end point? If so how to enable/configure same. Secondly what about those upstream end points which are plain HTTP not Https?
We certainly does not want ip address whitelisting mechanism.

Please guide.

While certainly not the whole answers, these threads may provide some ideas:

1 Like