OCI API Gateway deployed as a Dark Service. How to turn your OCI API Gateway to the Dark side of the cloud Part 1.
This series of articles is going to be dedicated to turning different Oracle Cloud Services into Dark Services using Netfoundry.io.
In previous articles, we’ve learned the way Netfoundry.io, and OpenZiti can help us to create API Dark Services.
Now is the time for the OCI API Gateway to turn dark. OCI API Gateway is part of the Developer Services that Oracle offers in its cloud. It is a lightweight serverless gateway that can be easily deployed and used for both OCI workloads and external OCI services.
It offers the possibility to be deployed either publicly or privately. Publicly means that it can be reached from the internet and privately means that it can be hosted within a private subnet and therefore not reachable by itself from the internet.
But as we’ve been learning in previous articles, APIs are under constant attack. If we let our APIs be exposed to the internet, not only our consumers can reach them but attackers can fuzz around and will try to break them. We need to be aware of this and ready.
In this article, we will learn how to turn your OCI API Gateway into the Dark side. This is what you need:
- Oracle Cloud Infrastructure tenant. It can be a 30 days free trial
- Create a VCN and divide it into two private subnets. One for your Netfoundry.io Edge Router and the second one to deploy your OCI API Gateway
- Create an OCI API Gateway and make it available in the private subnet
- Create an API and expose it in the OCI API Gateway
- Create a Service in the Netfoundry.io console
- Create an APPWan in the Netfoundry.io console
- Assign an identity that can reach the service
- Test it from your laptop
The first two points can be easily configured by following this article.
Now let’s create a private OCI API Gateway. Head into your OCI console and create a new OCI API Gateway:
Click on the blue Create Gateway button and configure it like this:
As you can see we are using a private subnet, our OCI API Gateway hostname will not be reachable from outside this subnet.
Once created you will see it listed as created and private:
And once you click on the name of your gateway (myDarkGateway), you’ll see this:
Now is the time to create a very simple API with a mock response, since this is just for testing purposes. Scroll down the page and click on deployments (left side of the window):
Click on the Create deployment button. And the first configuration page, configure it like this:
Our base path will be /dark. Leave the rest of the configurations as default and click on the Next blue button at the bottom of the page:
Then you will see this configuration page:
For this article, we will leave the No Authentication option as default, but in the second part of the series of this articles, we will mix this with OpenID base authentication. But for now, leave it as No Authentication. And click the next button.
Configure Route 1 as follows:
We are telling the gateway that our first route will:
- Serve in /questions
- Respond to the GET operation
- And the Backend Type is a Stock Response which we will configure in the next step
In the body paste this JSON message:
[
{
"question": "Favourite programming language?",
"published_at": "2015-08-05T08:40:51.620Z",
"choices": [
{
"choice": "Swift",
"votes": 2048
}, {
"choice": "Python",
"votes": 1024
}, {
"choice": "Objective-C",
"votes": 512
}, {
"choice": "Ruby",
"votes": 256
}
]
}
](That represents our sample response)
And finally, configure a response header:
Click on the Next button and the API will be deployed to your Gateway. After a few seconds, you will see it in Active mode:
In the Endpoint column click on the show link and then copy it:
https://mdsv5rqni2atlcnytbltwcyezm.apigateway.us-ashburn-1.oci.customer-oci.com/darkThat is the endpoint where your OCI API Gateway is going to serve requests, and for this particular deployment, it will accept requests under the /dark resource.
Now let’s go to Cloud Shell to test it. Why Cloud Shell? Because the endpoint is private and we cannot connect to it from outside its private subnet.
Use Cloud Shell to connect to the private subnet and once connected, try a cURL command to test the API:
Is responding as expected.
OK. Up to this point, all is working ok. Our API is reachable just through that private subnet. If I want to expose it to an external network, without any extra configuration, we will not be able to do it. But since we already have a Netfoundry.io Edge Router on that VCN, we can configure a new Netfoundry.io service to make us possible to reach it from outside that subnet from an external network in a very secure fashion.
This will create a dark OCI API Gateway, that can be reached from outside OCI Network from very specific endpoints controlled by ourselves.
Let’s head to the Nefoundry.io console and create a service like this:
We are telling to Netfoundry that we want to expose a service through:
a) darkoci.oracle.com
b) And route it to the OCI private hostname.
The darkoci.oracle.com does not even exist, but that is part of the magic of Netfoundry.io.
Once created, let’s assign it to an AppWAN:
In this first article, I am using myLaptop to consume the API. In the next article, we will make a NodeJS consumer application the endpoint. But since we are moving step-by-step we will use my laptop. On my laptop I have the Netfoundry Edge Client that has my identity registered, and therefore is giving me access to the API:
Now let’s test our OCI API Gateway Dark Service:
Extremely simple.
I am reaching a private OCI API Gateway from a different network, without the need to open a single port to the internet from the OCI VCN perspective. All communications are outbound and secured. No need to provision a bastion, VPNs, or Reverse proxy. No need to expose my OCI API Gateway to the internet.