Accessing internal API via Internal DMZ
-
09-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have an API that for firewall reasons can't sit on an internal DMZ and has to reside on the internal network. It was suggested that I build a 'shell' API that basically has all the same endpoints but just passes data back and forth between the APIs and Web App. 
So is creating another API to sit in the internal DMZ so I can pass messages between the DMZ web app and the Internal Web API the best way to achieve this? Or more to the point: what is the standard way to forward HTTP requests from the DMZ to Internal via an Internal DMZ?
Would an ideal way be to set up ARR on the internal DMZ to send to the internal API?
Solution
In my experience, using a reverse proxy like that provided by nginx was the easiest approach as it involved little more than forwarding relevant external requests through the firewall.
https://www.nginx.com/resources/admin-guide/reverse-proxy/
The problem with a shell or facade, as some call it, is the constant need to update in two code bases and on at least two servers as the code evolves. Making one API work well and securing it will be an easier task and reduce maintenance complexity. With nginx, you can limit the URL paths that will be proxied.
