Restrict Access Using the API Gateway

You can restrict access to Oracle Integration using the API Gateway and an allowlist.

Overview

If all traffic to Oracle Integration is in the form of REST API calls, this setup suits your needs. However, if you have traffic in the form of non-REST API calls, this scenario might not be ideal. You have traffic in the form of non-REST calls if your organization supports any of the following situations:

• Users working in the Oracle Integration user interface, including using Visual Builder and the Processes feature
• Users working in the Oracle Cloud Infrastructure Console user interface
• SOAP calls

If you support any non-REST calls, you must use the Oracle Integration allowlist to manage this access. Here's why: API Gateway doesn't let you add IP addresses to an allowlist.

Diagram

Description of the illustration allowlist_with_api_gateway.png

How Each Item Controls Access

• All REST traffic from the internet is routed to API Gateway.

  For details about how access is restricted, see Overview of API Gateway for API Gateway.

• The allowlist lets the following entities access Oracle Integration:
  • API Gateway VCN
  • Service gateway, if your organization has one
  • REST and SOAP requests

  Note:

  If you need Visual Builder and Processes access, this pattern allows for bypassing the API Gateway.

If your organization has a service gateway, the service gateway lets your virtual cloud network (VCN) privately access Oracle Integration without exposing the data to the public internet.

Advantages

• API Gateway allows you to create more nuanced rules than the self-service allowlist.

  See Adding Request Policies and Response Policies to API Deployment Specifications for API Gateway.

• The limitation of 15 allowlist rules doesn't apply to REST API calls.

Disadvantages

• If your organization uses File Server, you can't restrict access using the API Gateway.

  You'd have to allow direct access to File Server.

• This option is more complex, time consuming, and error prone than the self-service allowlist on its own.
• If you don't configure everything exactly as required, users experience access issues. For instance, users can't access the Processes feature, and only people on the internal network can access Visual Builder.
• For any non-REST calls to Oracle Integration, you must provide direct access using the Oracle Integration allowlist. You're limited to 15 access rules for this allowlist.

Tasks to Complete for this Scenario

1. Configure API Gateway according to your organization's requirements.

   See the API Gateway documentation.

2. Add your organization's VCN OCID to the allowlist. The VCN must be in the same region as Oracle Integration.

   When the VCN OCID is on the allowlist, your virtual cloud network bypasses the API Gateway

3. Add API Gateway to the allowlist.
4. Enable loopback so that Oracle Integration can call itself.

   For example, enabling loopback allows Oracle Integration to call its own REST APIs. 

Note:

You must complete these steps by hand and use the correct format, or users experience access issues.