How Does APISIX Bridge the Gap Between DMZ and the Internal Networks?
January 28, 2024
DMZ, or Demilitarized Zone, serves as a secure network zone strategically positioned between the internal and external networks (commonly the Internet). It acts as a safeguard for hosting services or resources that are not entirely trusted, thereby fortifying overall network security. Its core objective is to segregate communication between the internal network, often containing sensitive data and resources, and the external network. Simultaneously, it accommodates services or applications requiring interaction with the external network.
Within the DMZ, one can deploy public servers (e.g., web servers, mail servers, DNS servers) or proxy servers. These servers engage in communication with the external network but do not necessitate direct access to internal network resources. Placing these public services in the DMZ effectively reduces the risk to the internal network. Even if attackers breach the DMZ, they encounter additional hurdles to access sensitive internal network data.
To facilitate secure access between the DMZ and the internal network, APISIX can be utilized to conveniently manage API calls. Two application scenarios (in the manufacturing and finance sectors) will be presented below.
Scenario One: A Mobile Phone Manufacturer
DMZ: Open to the external network;
General Zone: Completely isolated from the external network, neither able to access nor be accessed by the external network.
The existing gateway system is not a mere north-south traffic gateway; rather, it integrates both north-south and east-west traffic.
Traffic requests primarily manifest in the following four scenarios:
-
Classic North-South: External network traffic traverses the DMZ gateway, then is routed to the General Zone gateway within the local domain, eventually reaching backend services.
-
Inter-domain Forwarding: External network traffic navigates through the DMZ gateway, realizing that the backend service is located outside the local domain. It traverses the internal backbone network to reach the General Zone gateway within the backend's domain before finally reaching the backend service.
-
East-West: A backend application (Region A) calls an interface of another application (Region B) (depicted here as a cross-domain invocation scenario). After passing through the gateway in the General Zone of the application (Region A), it is forwarded to the gateway in the General Zone of the application (Region B) before reaching the corresponding application.
-
Calling External Network Services: Backend services require access to third-party services (Taobao, JD, SF Express, etc.). After passing through the local General Zone gateway, the request is forwarded to the DMZ gateway and subsequently directed to the third-party service.
Scenario Two: A Financial Firm
Production External Network DMZ: Open to the external network;
Production Internal Network: Completely isolated from the external network, and all traffic must pass through the gateway for management.
The customer's primary objectives with APISIX revolve around addressing the following key aspects:
Supervisory Needs: To comply with regulatory standards, the customer seeks the ability to thoroughly record and audit all microservices calls when accessing internal services over the external network.
Robust Service Management: Ensuring stringent authentication and implementing traffic throttling measures for each microservice module is a crucial aspect of the customer's service management requirements.
Business Growth: The customer aims to resolve challenges in business expansion, particularly addressing the need for inter-microservices communication across different business domains or teams.
Holistic Management: As the number of microservices grows, the customer acknowledges the need to address the significant impact of increasing call chain complexity on overall business stability.
Future Prospects: Looking ahead to the cloudification transformation of applications, the customer highlights the pivotal role of a service gateway in driving the process of application cloudification.
Summary
To sum up, the DMZ plays a pivotal role in network security, acting as a barrier between internal and external networks. Its function is to safeguard sensitive data and resources while facilitating essential external interactions. Utilizing contemporary gateway systems and API management tools enhances the efficient management and security of network traffic, addressing the security and regulatory needs across diverse industries. Whether for a mobile phone manufacturer or a financial institution, employing these technologies ensures network security and operational stability, while also meeting the demands of future development.
To find out more about API management solutions, you can contact API7.ai.