Securing microservice API behind Kong API gateway

I’m experimenting with Kong API gateway. It has nice features such as API key and HMAC authentication via plugin, so I don’t have to implement my own security into each of my API.

But it seems to be trade-off. Suppose I have Payment service. In it I need to check for API key, so I create request interceptor for each request to payment service, needs to provide valid API key.

I use kong as reverse proxy to payment server upstream. I also want to move this API key validation into kong, so my payment service (and other service) become plain-not-secured API. It seems nice since I don’t have to re-write interceptors for each service. But if somebody know the IP of payment service, then they can directly hit payment service without Kong API gateway.

What should I do to achieve these:

  1. use kong as API gateway (reverse proxy)
  2. use kong plugin for validation (API key / basic / HMAC) so I don’t need to re-configure them in my services
  3. avoid security hole if somebody knows the address of API, and hit them directly (bypassing kong security), but keeps #1 and #2, so the API programmers write is simple API but keep secure

Thanks in advance

For #3 you can configure your network so users can’t reach the AI directly(DNS/Firewall what have you). Or in our case where we can’t really mess with the network like that, we just do this which sends a JWT for API providers to validate to make sure the transaction came from the gateway: