API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#API Connect
#Applicationintegration
#APIConnect
 View Only

Introducing Remote Gateway Registration for API Connect Multi-Tenant SaaS on AWS

By Timothy Dement posted 4 days ago

  

Introducing Remote Gateway Registration for API Connect Multi-Tenant SaaS on AWS

We are excited to announce the release of Remote Gateway Registration for API Connect Multi-Tenant SaaS on AWS. This new feature allows you to connect DataPower API Gateways deployed in your own environment with the API management capabilities of your SaaS Provider Organizations, providing a flexible hybrid solution for the lifecycle of your APIs.

Remote Gateway Registration allows you to manage APIs in the cloud while keeping your data traffic flowing within your own infrastructure, giving you better control over data flows over the network while still enjoying the benefits of cloud management. The connection between your gateways and the cloud service is secure and reliable. This helps with data privacy requirements, reduces response times for users, works with your existing security policies, and makes the most of your current DataPower investments.

Please also keep an eye out for future enhancements to this feature, including template-led deployments for those without a preexisting DataPower API Gateway as well as SNI and TLS customization options.

Prerequisites

Remote Gateway Registration requires that you have a DataPower API Gateway deployed in your own environment.

For further detail on deploying DataPower API Gateways, please see the following documentation:

Deploying on Kubernetes

Deploying on OpenShift in Different Namespaces

Deploying on OpenShift in a Shared Namespace

Registration Process

To begin, open the Instance settings panel in the top-right after logging in to your Service Instance.

Then select the Register in the Remote gateway section.
Remote gateway registration requires that a DataPower gateway is running in your environment. Visit the links on the next page for setup instructions if you have not already deployed a DataPower gateway in your environment.
On the next page, enter the Namespace where your DataPower gateway is deployed. This value is used to populate the mgmt-platform-endpoint-ca-secret specification with the proper namespace. Then create this secret in your cluster.
Your GatewayCluster will also need to be updated to reference the correct jwksUrl and mgmtPlatformEndpointCASecret. Use the properties displayed at the bottom of this page to edit your GatewayCluster accordingly. Note that this will trigger a rolling restart of your GatewayCluster pods.
On the next page, enter the Title you wish to use for your DataPower gateway registration.
On the next page, enter the URL of management endpoint. This can be retrieved from your GatewayCluster with the following command:
kubectl get gatewaycluster ${GATEWAY_CLUSTER_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.spec.gatewayManagerEndpoint.hosts[0].name}'

Note that this endpoint must be prefixed with https://.

Next, enter the ca.crt value for your gatewayManagerEndpoint. On Kubernetes and OpenShift, this value can be found in the secret referenced by your GatewayCluster here:

kubectl get gatewaycluster ${GATEWAY_CLUSTER_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.spec.gatewayManagerEndpoint.hosts[0].secretName}'

 

The value of the ca.crt can then be retrieved with the following command:

kubectl get secret ${SECRET_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.data.ca\.crt}' \
  | base64 -D
On the next page, enter the Base URL of API invocation endpoint. This can be retrieved from your GatewayCluster with the following command:
kubectl get gatewaycluster ${GATEWAY_CLUSTER_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.spec.gatewayEndpoint.hosts[0].name}'

 Note that this endpoint must be prefixed with https://.

Next, enter the tls.crt and tls.key values for your gatewayEndpoint. On Kubernetes and OpenShift, this value can be found in the secret referenced by your GatewayCluster here:

kubectl get gatewaycluster ${GATEWAY_CLUSTER_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.spec.gatewayEndpoint.hosts[0].secretName}'

 

The values of the tls.crt and tls.key can then be retrieved with the following command:

kubectl get secret ${SECRET_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.data.tls\.crt}' \
  | base64 -D

 

kubectl get secret ${SECRET_NAME} \
  --namespace=${GATEWAY_CLUSTER_NAMESPACE} \
  --output=jsonpath='{.data.tls\.key}' \
  | base64 -D
On the next page, select Register to complete registration. Note that this process can take 10-15 seconds to complete.
Once this is complete, the remote gateway will now appear in the Gateways table under the Instance settings panel.

De-Registration Process

To de-register a remote gateway, begin by opening the Instance settings panel in the top-right after logging in to your Service Instance. Select the trashcan icon next to your remote gateway in the Gateways table.
Then confirm the removal by entering in the name of your remote gateway before selecting. Your remote gateway will be de-registered when you click Remove.

Demonstration

Please see the video below for a walkthrough of the setup and use of a remote gateway.

2 comments
93 views

Permalink

Comments

21 hours ago

Thanks for this. Good resource to have when servicing clients

3 days ago

Great update! Previously, API Connect Enterprise as a Service did not support private endpoints for APIs. I hope this new feature removes that limitation and now allows private endpoint access through registered remote gateways.