9 Secure API infrastructure
This chapter covers
- Improving API management with API gateways
- Configuring secure network topologies
- Protecting APIs from attacks against OSI layers 3–6
- Preventing application-level attacks with web application firewalls
When we are ready to deploy our APIs, we have to think about how to protect the infrastructure in which they’re going to operate. In previous chapters, you learned how to make APIs secure by design, implement robust authentication and authorization systems, and so on. These techniques help prevent application-level attacks. As you’ll learn in this chapter, other forms of attacks target lower levels of the networking stack, such as port scanning and denial-of-service (DoS) attacks, which can compromise your security posture. You’ll learn about the vulnerabilities threat actors exploit to perform such attacks and see how you can harden your servers and use off-the-shelf solutions to protect your infrastructure.
You’ll learn about the effect of your network topology on your security posture. API infrastructure includes multiple elements, such as web servers, databases, and queues, and not all of them should be exposed directly to external users or allowed to receive external traffic. You’ll learn how to create restricted access to your API infrastructure with bastion servers, establish a demilitarized zone for your inbound traffic, and prevent lateral movement between your servers.