Using API Proxy Endpoint as Apigee Alert Webhook: How to Limit Incoming Traffic ONLY to Apigee Alert System

anonymous · June 17, 2021, 5:18pm

Hello:

We are developing an API Monitoring Proxy on Apigee Edge that is designed to take in a JSON payload sent by the Alerts we have configured in Apigee and transform it into another payload to send to Service Now’s Events API. We want to ensure that our API Monitoring Proxy only allows traffic from Apigee’s Alert system and not from any other client.

Is there a recommended way of doing this? We have investigated IP Whitelisting, but it seems like the IP addresses used by Apigee Alerts are dynamic and not static.

Edit: We are already using an API key as a first line of defense, but we would like to add an additional layer of security.

ssvaidyanathan · June 17, 2021, 5:37pm

@Sara Kazemi

How about adding an API Key in the URL (as query param) and then verify that in the actual call within the proxy. With this you can make sure its only coming from the alert system. You can rotate the API Key once in every 30 days or so as well to make sure its secure. The analytics should tell info of whose calling just in case if you are curious

The same is mentioned here as well. Please see the table in point 8

anonymous · June 17, 2021, 5:40pm

Oops! Forgot to mention that we are already indeed using an API Key as a first line of defense. The client for whom we are developing this would like an extra layer of security, however.

Topic		Replies	Views
Validating clients aren't using other API Keys Apigee api-runtime	3	7	March 17, 2016
Apigee API Monitoring Notifications - is it ok to call proxy from alert webhook Apigee api-runtime	2	1	August 6, 2020
Security best practices/approaches - between Apigee Cloud and internal systems Apigee api-runtime	2	5	June 5, 2015

Using API Proxy Endpoint as Apigee Alert Webhook: How to Limit Incoming Traffic ONLY to Apigee Alert System

AI Suggested topics