Guide on how to protect OIC endpoints with OCI API Gateway

The February release for the Oracle Integration Cloud (OIC) is out and with it several new features and enhancements.

One of the most interesting new capabilities is the direct integration with the Oracle Cloud Infrastructure (OCI) API Gateway. Users can now directly publish their endpoint from OIC into the OCI API Gateway.

Up until now one would need to manually expose that endpoint in the API Gateway, which was not the most efficient way. That is now solved 🙂

OCI API Gateway

The API gateway offers several benefits in terms of security and control.

You can use request policies and/or response policies to:

  • limit the number of requests sent to back-end services
  • enable CORS (Cross-Origin Resource Sharing) support
  • provide authentication and authorization
  • modify incoming requests and outgoing responses

Create an API Gateway

The first thing is to have an API Gateway running on OCI.

Follow these instructions to create a new gateway. https://docs.oracle.com/en-us/iaas/Content/APIGateway/Tasks/apigatewaycreatinggateway.htm

NOTE: the gateway should be in the same region as the OIC instance, otherwise it is not possible to deploy it.

OIC Settings

Go to Home > Settings > Integrations > API Management and configure accordingly.

https://docs.oracle.com/en/cloud/paas/integration-cloud/integrations-user/connecting-oracle-api-gateway.html

You can choose between API Gateway or API Platform. Only one can be configured at a time. The API Gateway is the recommended service going forward.

Publish the Integration

This only works with (REST) App Driven Integrations as they expose an endpoint.

I have an Integration – API_HelloWorld that is exposed as a REST endpoint, takes a name as input parameter and returns:

{
    "response": "Hello <name>, this is your first call with the API Gateway!"
}

In the Integration menu list, Click in the options button for the desired integration, and press API Management. (This Option is only visible for Active Integrations)

Choose Compartment and Gateway.

All going well the Endpoint is deployed successfully.

Calling the Endpoint with POSTMAN

First I want to call the OIC Endpoint directly (with the OIC authentication).

Now I do the same test but with the API Gateway Endpoint. I have not defined any authentication mechanism in the API Gateway, hence we pass the credentials for the backend endpoint (OIC)

Note: It took some minutes before the endpoint was accessible, I got a couple of 404 errors immediately after deployment.

Conclusion

This new feature really facilitates the deployment of API’s into the API Gateway, further enhancing OIC capabilities, and proving that the native integration with the Oracle Cloud Infrastructure is game changing in the iPaaS world.

In future posts I will look into some of the API Gateway capabilities, like rate limit, authentication, enriching request/response with headers!

Stay Tuned!