Last post Jan 06, 2014 05:50 AM by DarrellNorton
Jan 04, 2014 08:04 PM|ncage|LINK
We are in the beginning stages on creating our web api. We plan to use it for both internal apps and our web site. Our api will actually be hosted on different machines than our main website so they can be scaled independently. Our website of course will
be flowing through the web application servers?
This current how we see the flow:
Internet <----> Firewall<--->DMZ(Web Servers)<---->Firewall<--->DMZ(Web Api Servers)<---->Firewall<----->Internal Network
I think the answer is to have everything flow through the web servers but not sure. If this is the case the web api servers will need to know which client each request is dealing with. So the web api servers don't have to deal with state what is the best
way to acomplish this? Maybe store the unique key for the client in session on the web servers and pass that long with each request? Of course we are thinking on moving it to the cloud (azure) someday and don't want to make any decisions that make that more
difficult. Anyways, any help would be appreciated.
Jan 06, 2014 05:50 AM|DarrellNorton|LINK
Client browsers generally will be hitting your WebAPI directly.
If you want to make the current flow that you have identified work, you will end up reproducing the entire WebAPI on the web server with a facade that just passes calls along. This will hurt performance without really buying you anything.
There are other ways to secure WebAPI. Take a look at these articles:
My recommendation would be to put your WebAPI servers in the DMZ with the web servers and secure them (and your ASP.NET app) appropriately.