API Security Gateway – Using APISIX in the EFPF Platform
Updated: Oct 29, 2020
API management refers to control, distribution and analysis of APIs, it ensures that the needs of the applications and users that make use of an API are being met. An API gateway is one such tool that allows for the management of the API’s or backend services an organisation or platform provides, manages, or controls. An API gateway provides a single point of entry for all connecting clients to the API’s available. APISIX is Apache Software Foundation’s newest top-level project the delivers a dynamic, real time, high performance, microservice API gateway. APISIX is used to implement the API Security Gateway in the EFPF platform.
The EFPF federation offers a range of tools and services. Many of which provide one or more API’s that may be used by other tools and services or by developers of future tools and services. Through the use of an API Gateway, the EFPF platform can monitor, control and analyse usage of the API’s available to better understand how they are used. Alongside this, an established API gateway in the EFPF platform allows the use of policies to define how users are required to interact with the APIs exposed by different entities in the federation.
The API management tool or the API Security Gateway (ASG) used in the EFPF platform is a component within the Data Spine. The ASG acts as a border gateway for all API calls targeting the data spine and exposes the services available in the EFPF ecosystem. While acting as a proxying service, it also has the role of enforcing security policies on the service calls being made. In EFPF the ASG is implemented using Apache APISIX which is a technology solution was selected due to the following features:
Speed: As the ASG will proxy calls from the Data Spine to other platforms in the ecosystem, the latency for the calls should be minimized
Custom Plugins: The ASG should depend on minimal code/configuration for the development of custom security plugins
License: A permissive license is preferred (Apache / MIT) for the implementation of the ASG
Support for MQTT
The ASG in EFPF automatically creates the routes for the services that are based on the EFPF Data Spine’s Service Registry. Any services that are registered in the Service Registry and there not exposed as a route in the ASG will result in a 404 response (“Not found”). In addition the ASG also has two custom security enforcement plugins. The Open ID Connect plugin provides token introspection through communication with the identity server or by importing the public key of the token. The plugin verifies if the token is generated from the EFPF identity server and does basic authorization via JSON web token scopes. The Policy Enforcement plugin then provides additional security for the routes defined by the ASG. The identity server allows for the definition of policies based on the user’s role or attributes. The plugin communicates with the policy engine to allow or reject calls based on a user’s privileges.
The implementation of APISIX brings EFPF project in line with many other companies/projects who have entrusted this open-source technology to address their API management issues. EFPF is recently mentioned in an article on THENEWSTack, where Nirojan Selvanathan from SRFG discussed the key features of APISIX: https://thenewstack.io/apisix-an-open-source-api-gateway-for-microservices/
The video of Nirojan’s interview with THENEWSTACK is presented below: