Secure access to backend services in Hybrid Cloud

Question

I have some doubts about which is the most appropiate way to allow access to my company backend services from public Clouds like AWS or Azure, and viceversa. In our case, we need an AWS app to invoke some HTTP Rest Services exposed in our backend.

I came out with at least two options:

• The first one is to setup an AWS Virtual Private Cloud between the app and our backend and route all traffic through it.
• The second option is to expose the HTTP service through a reverse proxy and setup IP filtering in the proxy to allow only income connections from AWS. We don´t want the HTTP Service to be public accesible from the Internet and I think this is satisfied whether we choose one option or another. Also we will likely need to integrate more services (TCP/UDP) between AWS and our backend, like FTP transfers, monitoring, etc.

My main goal is to setup a standard way to accomplish this integration, so we don't need to use different configurations depending on the kind of service or application.

I think this is a very common need in hybrid cloud scenarios so I would just like to embrace the best practices.

I would very much appreciate it any kind of advice from you.

Answer 1

Your option #2 seems good. Since you have a AWS VPC, you can get an IP to whitelist by your reverse proxy.

There is another approach. That is, expose your backends as APIs which are secured with Oauth tokens. You need some sort of an API Management solution for this. Then your Node.js app can invoke those APIs with the token.

WSO2 API Cloud allows your to create these APIs in the cloud and run the api gateway in your datacenter. Then the Node.js api calls will hit the on-prem gateway and it will validate the token and let the request go to the backend. You will not need to expose the backend service to the internet. See this blog post. https://wso2.com/blogs/cloud/going-hybrid-on-premises-api-gateways/