FA controls on traffic

dan · 8 Nov 2022, 14:57

From slack:

Appreciate your thoughts on this use case! We are currently calling FusionAuth(FA) APIs from servers in our datacenter. We are currently exploring a few options on connecting FA from Apigee. When we initiate the request from our datacenter, we feel comfortable on the connections going out to FA. When we start interacting with FA from Apigee, does FA put up any existing controls on inspecting the incoming traffic/IP etc., any IP whitelisting or any other controls that 'd make this communication from Apigee more secure.

dan · 8 Nov 2022, 15:02

FusionAuth supports IP access control lists. This feature is only available in the enterprise edition. You can learn more about that here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#ip-acls . You can lock down both applications and API keys to a given set of IP ranges.

If you don't want to pay for enterprise edition, you can lock things down at the network level. How you do so depends on your deployment model. For example, if you are running FusionAuth in AWS, you can lock down network access via security groups and NACLs. If you are running FusionAuth in Kubernetes, you can lock it down via network policies.

srikanth.bussa · 10 Nov 2022, 19:31

@dan Appreciate your response and insight, and thanks for sharing the links to set this up on FusionAuth(FA). We are planning to consume FA's JWT response on Apigee and since this IP whitelisting is available on FA, we could explore few other items on Apigee. Thanks

dan · 11 Nov 2022, 03:16

@srikanth-bussa Great.

If you need to customize the JWT, I'd suggest looking at the populate lambda and lambda HTTP connect as well.