A cloud surrounded by padlocks

API Security in a Multi-Cloud Environment

In today’s app economy, more and more client interactions and transactions are occurring via the web and mobile applications, where predominantly APIs are been used for Information Exchange. Which enables modern enterprise to break the traditional barriers and expose their on-premises and cloud-based digital assets and applications to the outside world in a secure manner.

The key challenge for enterprises in this digital journey using APIs is to ensure this exchange of information is occurring with the right consumer with the right privileges. This is where API Security, one of the 5 Pillars of API Management, plays a key role in protecting enterprise digital assets.

API Security

For most modern web, SPA, and mobile applications, both OAuth 2.0 and OpenID connect are fundamental for API Security. OpenID connect with JWT has become the gold standard for today’s enterprise that has applications spread across a multi-cloud environment.

In one use case, where a consumer tries to access a backend microservice that resides in a multi-cloud (AWS/Azure/GCP) environment. In a typical gateway deployment model, we may have an API Gateway in the DMZ as our edge gateway, and it may be mutually integrated with several backend microservice applications that reside either on-premises or cloud.

For this example, this enterprise is having few of those applications in AWS and few in Azure. Each of those applications is front-ended with a parallel gateway and expects a signed JWT. The API gateway will validate and authorize the request to relevant backend applications in their respective cloud platform.

With that said, when a request reaches the Edge gateway in DMZ:

  • The API gateway may apply the required security policies that leverage OIDC protocols by using the “Authorization” header with a bearer token, upon successful authentication and corresponding authorization using the scope.
  • it may very well apply other policies that would protect their digital assets from common OWASP attacks
  • Apply rate limit and throttle the incoming request
  • And finally, route the request to backend application (resides in AWS or AZURE). But before routing, it could also bridge the security protocol with a custom JWT claims that would have relevant authorization details for cloud gateway to validate and authorize.
  • Also, sign and encrypt the JWT as needed (JWS and JWE) using specific private keys applicable for a particular backend application that resides in the cloud.

Once the request reaches AWS or AZURE cloud (parallel) API gateway:

  • it may intercept the request and look for JWT header for validation and authorization.
  • For validating the signed JWT, it may call the OIDC JWKS, which is a read-only endpoint that would return JWKS containing public keys that enable cloud gateway to validate a JSON Web Token (JWT) issued by OpenID Connect Provider
  • Once JWT is validated and decoded, the cloud gateway can extract required claims in the payload and authorize the call and route the request to appropriate backend applications/microservices.

A key challenge an enterprise usually faces here, when they have hundreds of applications deployed across multi-cloud environment, is that “JWKS URI” endpoint might return all the key set associated with a provider and that would be a security impact. To avoid this situation, the calling API gateway may send a particular kid (key identifier) claim associated with a call (from JWT header). So that provider can return only that specific public key associated with that kid claim to the cloud API gateway.


With the growing app economy, there is an increased focus on digital transformation. And APIs are becoming a key enabler in establishing secure communication with backend applications and Microservices. Products like Layer7 API Management fulfill the demand of today’s enterprise in both securing and protecting their digital assets (applications/microservices) with OOTB capabilities and features.

As I have shown above, Layer7 API Gateway can provide several such security protocols and integrates with a broad list of IAM systems and supports OAuth2/OpenID Connect, PCI-DSS, FHIR, and PSD2. Layer7 API Gateway is OOTB capable of bridging several security standards and solutions between consumers and providers.

If you don’t have Layer7 API Gateway then, you need to ensure your gateway provider provides similar supports to a wide range of security protocols and solutions for API Security along with comparable microservices (secured) integration options.