Securing Backend Traffic

This guide explains how to configure serverless gateways to securely communicate between the data plane and the backend application. These methods are required because serverless gateways only support public networking and not direct private networking options such as AWS Direct Connect or other VPN-type connectivity. For use cases where private networking is required, Dedicated Cloud Gateways with AWS Transit Gateways is a better choice.

Using a Shared Secret

In this method, your web application is configured to only authorize traffic that contains a known shared API token or secret. We will configure Kong Gateway to inject the shared secret as a header into every request sent to the backend. Then Kong Gateway and the ecosystem of plugins can be leveraged to implement additional or alternative security measures, rate limiting, or other functionality on top of the web app, while ensuring that no unproxied traffic is authorized.

Prerequisites

A web application that is accessible to the public internet.
The application endpoints are secured by a known API token.

API

From Gateway Manager, click the name of the Serverless CP that you want to configure.
Click Gateway Services in the navigation sidebar and select the service you want to secure.
Click the Plugins tab, then click the New Plugin button.
Find the Request Transformer plugin, click Enable.
Locate the Add.Headers field and click Add.
Enter the required header in the field in the key: value format, and Save.

For example to use a bearer token secret with the value my-secret-key enter: Authorization: Bearer my-secret-key.

The serverless gateway is now configured to add the pre-shared secret token in all requests sent to the backend.

The Konnect API uses Personal Access Token (PAT) authentication. You can obtain your PAT from the personal access token page. The PAT must be passed in the Authorization header of all requests.

Attach a new plugin to the control plane and service that you want to secure:
```
 curl -X POST \
 https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins \
 --header "accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer {PAT}" \
 --data '{
     "name": "request-transformer",
     "config": {
         "add": {
             "headers": [
                 "Authorization:Bearer {secretTokenValue}"
             ]
         }
     }
 }'
```
Replace the PAT as well as the following placeholder values with your own values:
- controlPlaneId: The ID of the serverless control plane that includes your service.
- serviceId: The ID of the service that you want to add the plugin to.
- secretTokenValue: The value of your shared secret token to authenticate to the backend.
You should get a 201 response, serverless gateways are now configured to add the pre-shared secret token in all requests sent to the backend.

Now you can add as many other security methods or implement additional plugins and functionality in the serverless gateway and have your users hit the Kong Gateway and be protected rather than directly hitting your backend application.

More information

Request Transformer Plugin: Learn about additional ways to configure the Request Transformer Plugin.