Author: Ashish Pardhi
Purpose
This document will describe a summary of the deployment or hosting view of Public and Private APIs in the MuleSoft Anypoint Platform.
Use Anypoint Exchange to configure whether API instances are public or private in a private Exchange instance or in an Exchange public portal. For example, configure public or private visibility for proxies or policies associated with your API and set using API Manager.
After you register an API from Exchange in API Manager, the instances for the API appear in Exchange in the API instances list in the navigation bar.
Exchange also creates API instances for APIs managed by another API management program besides Anypoint Platform.
Visibility for each API instance is either private or public. Users can see a private API instance if the asset is shared with them or if they have Anypoint Platform permission that grants access. All users accessing an Exchange public portal can see all public API instances. All API instances in an Exchange public portal are read only.
In a private Exchange instance, asset administrators have access to change the visibility of API instances, and to add, edit, and delete instances.
REST APIs provide a mocking service with data to test API features. The mocking service is always public.
Private APIs
Private APIs are APIs with endpoints that are accessible only within your network. Process and System APIs are most eligible candidates for Public APIs. API Functional Monitoring (AFM) lets you monitor private APIs if you have a subscription to Anypoint Virtual Private Cloud (Anypoint VPC). With Anypoint VPC, you can run workers in CloudHub in a virtual, private, and isolated network segment, rather than in a region in which resources are shared. A private location is a worker that runs in a CloudHub environment that is associated with an instance of Anypoint VPC. AFM can create workers within Anypoint VPC that can run tests against APIs that are accessible only within the network that Anypoint VPC is configured for. The APIs must be deployed in CloudHub. You can create multiple private locations in a single instance of Anypoint VPC.
Deployment View
Following diagram shows how an API gets deployed on CloudHub workers and how it can be exposed to consumers that are internal within the Client Corporation network.
If you wish to expose HTTP services only inside a VPC, these services can be exposed on ports ${http.private.port} and ${https.private.port} (by default 8091 and 8092 respectively), which are open by default on the internal network. In this case, these services are not accessible on the public IPs or the load-balancer, ensuring that they can be accessed securely.
In order to achieve load balancing for the application deployed on multiple workers, CloudHub Dedicated Load Balancer needs to be configured.
Public APIs
Public APIs are APIs with endpoints that are exposed to the open internet. Experience APIs are most eligible candidates for Public APIs. In API Functional Monitoring (AFM), tests of such endpoints are run by workers that themselves run in public locations or private locations. A public location is a region (which you can think of as a resource pool) that is shared with other MuleSoft customers. Examples of such regions are us-east-1, us-east-2, and eu-central-1.
Deployment View
Following diagram shows how an API gets deployed on CloudHub workers and how it can be exposed to consumers that are external to the Client Corporation network.
The only two ports exposed externally are ${http.port} and ${https.port} (by default 8081 and 8082 respectively). If you wish to access other ports, you can do so through the Anypoint Virtual Private Cloud (VPC) and Dedicated Load Balancers offering.
The “http.port” property is automatically set to port 8081 for HTTP, and “https.port” is set to port 8082 for HTTPS. If other values for “http.port” and “https.port” are specified in the mule-app.properties file, these are overwritten at deployment time.
Public Ports Vs Private Ports
MuleSoft provides four firewall rules by default. You can add more firewall rules as per your requirements. We can expose custom ports to the public internet if it’s required.
Important Considerations
For each request a client makes through CloudHub’s load balancer (myapp.region.cloudhub.io), the load balancer maintains two connections. One connection is from the client and one is to your worker. For each connection, the load balancer manages an idle timeout of 300 seconds that is triggered when no data is sent over either connection. If no data is sent or received during this time period, the load balancer closes both connections.
For connections that take longer than 300 seconds to process from either side, consider handling the processing asynchronously.
Big API Landscape
If we have a big API landscape then we recommend having separate VPCs for all public facing APIs and all internal/private APIs.
Pros: Easy to manage Security Concerns.
Cons: Extra cost on VPC and Load Balancer.
