Don't allow direct calls to Microservices. Only allow through API Gateway

to don something
don urban dictionary
don synonym
don medical abbreviation
don in a sentence
don meaning slang
don meaning italian
don japanese

Maybe this is a strange question (I'm new with Microservices). But I'm looking for some info on how proceed with this. Does not need to be Spring specific, but that's the framework I'm using at the moment.

Example: Lets say we have two Microservices

a) http://myurlfortesting.com:8085/api/rest/serviceone

b) http://myurlfortesting.com:8090/api/rest/servicetwo

and we have setup Spring Zuul (acting as the API Gateway) with the following rules that forward the incoming calls:

/rest/one -> http://myurlfortesting.com:8085/api/rest/serviceone

/rest/two -> http://myurlfortesting.com:8090/api/rest/servicetwo

The question... Is there a way to stop users from directly accessing the services mentioned in A and B (only allow the ones that come through the API Gateway)?

Can this be done with Springs Zuul (Acting as a API Gateway) by setting up some extra filters or do we set it up in Microservices endpoints?

Would even like to know if there is a way to not even processing the direct calls on the Microservices endpoints that don't come via the API Gateway.

Maybe this is solved with server specific rules and has nothing to do with Spring?

Many thanks,

/D

Assuming that you have a firewall in place, you could restrict inbound traffic to server to the ports that your Zuul endpoints are exposed on and disallow anyone from accessing the microservices' ports directly.

If you want to avoid going the firewall route, you could force the endpoints to check for a specific HTTP header or something that is set by Zuul prior to forwarding a request, but that would be hacky and easy to circumvent. Based on my past experiences, the "right" way would be to do this via a firewall. Your app should be responsible for dealing with requests. Your firewall should be responsible for deciding who can hit specific endpoints.

Don, Definition of don. (Entry 1 of 4) transitive verb. 1 : to put on (an article of clothing) donned his hat and gloves. 2 : to wrap oneself in : take on sense 3a the donning of new and more tyrannous moralities— Edward Sapir. 1. Don (also dōn) Used as a courtesy title before the name of a man in a Spanish-speaking area. 2.

Generally, such kind of situation are handled by implementing proper OAuth server wherein only your API gateway will handle the token validation. Any direct call to microservice will not have proper token exchange and hence requests will be aborted.

In case, you have deployed your micro-services on any cloud then you can acheive this by exposing routes to only API gateway. And yes, firewall blocking, IP whitelisting are some of the other ways in restricting the access to your microservices.

Don, Don definition, Mr.; Sir: a Spanish title prefixed to a man's given name. See more. Don definition, Mr.; Sir: a Spanish title prefixed to a man's given name. See more.

Use a reverse proxy. We use Nginx for the same purpose. Api gateways should always be deployed behind a load balancer for production scenarios to avoid the gateway being a single point of failure. Also, the gateway and services are deployed in a VPC.

Don, A don is a guy that everyone wants to be like. He is not only sexy and muscular but amazing in bed aswell. He can rock anyone. Being a don is a talent that not  Don, and dom, is derived from the Latin Dominus: a master of a household, a title with background from the Roman Republic in classical antiquity.

The right way to do this with AWS API Gateway would be with the recently launched 'VPC Link' integration, which secures the connection between API Gateway and your backend inside your VPC.

https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/

don, To don means to put on, as in clothing or hats. A hunter will don his camouflage clothes when he goes hunting. Dôn, in Celtic mythology, leader of one of two warring families of gods; according to one interpretation, the Children of Dôn were the powers of light, constantly in conflict with the Children of Llyr, the powers of darkness. In another view, the conflict was a struggle between indigenous gods and those of an invading people.

Hey I finally find a solution to accept request just from the API Gateway by using microservices architecture, for that you can create a filter, and like Zuul act as a proxy, checking the header 'X-Forwarded-Host', if it doesn't match with the gateway service then return an Unauthorised exception.

public class CustomGatewayFilter extends GenericFilterBean {

@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
        throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) resp;

    String proxyForwardedHostHeader = request.getHeader("X-Forwarded-Host");

    if (proxyForwardedHostHeader == null || !proxyForwardedHostHeader.equals(GatewayConstant.getGatewayURL())) {
        UnauthorisedException unauthorisedException = new UnauthorisedException("Unauthorized Access",
                "Unauthorized Access, you should pass through the API gateway");
        byte[] responseToSend = restResponseBytes(unauthorisedException.getErrorResponse());
        ((HttpServletResponse) response).setHeader("Content-Type", "application/json");
        ((HttpServletResponse) response).setStatus(401);
        response.getOutputStream().write(responseToSend);
        return;
    }
    chain.doFilter(request, response);
}

private byte[] restResponseBytes(ErrorResponse errorResponse) throws IOException {
    String serialized = new ObjectMapper().writeValueAsString(errorResponse);
    return serialized.getBytes();
}

}

do not forget to add your custom filter in SpringSecurity Configuration

.and().addFilterBefore(new CustomGatewayFilter(), ConcurrentSessionFilter.class);

don, VerbEdit. don (third-person singular simple present dons, present participle donning, simple past and past participle donned). (  Edward Don and Company is the world's leading distributor of foodservice equipment and supplies. Online ordering

Don dictionary definition, don definition: Don is defined as a Spanish title used to refer to a gentleman, or is a term used to describe a leader in an organized-crime family. (noun) An  A don is a guy that everyone wants to be like. He is not only sexy and muscular but amazing in bed aswell. He can rock anyone. Being a don is a talent that not everyone can achieve.

DON, don meaning: 1. a lecturer (= a college teacher), especially at Oxford or Cambridge University in England 2. to…. Learn more. Hi, mijn naam is Don de Jong en ik ben 20 jaar oud! Ik upload elke dag om 17:00 uur een nieuwe vlog over mijn dagelijks leven! Zakelijk contact: don@fantube.me

DON (verb) definition and synonyms, 'She imagined a Spanish don living here in the 1800s, and building a stately hacienda in stages as his family grew.' More example sentences. 'The Perdido Star  SECNAV Directives Control Office DON/AA Directives and Records Management Division (DRMD) 1000 Navy Pentagon Room 5E170 Washington, DC 20350-1000 COMM: (703) 693-9898 OPNAV Directives Managment Program Office (DNS-15) Office of the Chief of Naval Operations 2000 Navy Pentagon Room 4E563 Washington, DC 20350-2000

Comments
  • I would look into the firewall setup.
  • Are your Zuul endpoints running on another port on the server? Assuming that you have a firewall in place, you could restrict inbound traffic to server to the ports that your Zuul endpoints are exposed on and disallow anyone from accessing the microservices' ports directly.
  • @RiaanNel Endpoints are running on another port on the server. Can this be done with some other way (without firewall) Programatically etc?
  • You could force the endpoints to check for a specific HTTP header or something that is set by Zuul prior to forwarding a request, but that would be hacky and easy to circumvent. Based on my past experiences, the "right" way would be to do this via a firewall. Your app should be responsible for dealing with requests. Your firewall should be responsible for deciding who can hit specific endpoints.
  • @RiaanNel Could please add your comment as an "answer" so that I can pin this on you. Think you covered/verified my question. Thanks!