I’m experimenting with Kong API gateway. It has nice features such as API key and HMAC authentication via plugin, so I don’t have to implement my own security into each of my API.
But it seems to be trade-off. Suppose I have Payment service. In it I need to check for API key, so I create request interceptor for each request to payment service, needs to provide valid API key.
I use kong as reverse proxy to payment server upstream. I also want to move this API key validation into kong, so my payment service (and other service) become plain-not-secured API. It seems nice since I don’t have to re-write interceptors for each service. But if somebody know the IP of payment service, then they can directly hit payment service without Kong API gateway.
What should I do to achieve these:
- use kong as API gateway (reverse proxy)
- use kong plugin for validation (API key / basic / HMAC) so I don’t need to re-configure them in my services
- avoid security hole if somebody knows the address of API, and hit them directly (bypassing kong security), but keeps #1 and #2, so the API programmers write is simple API but keep secure
Thanks in advance