Trust between kong gateway and upstream backend service

[Chenjp]

hi,
We are using Kong as Open API gateway for our partners, and enable HMAC-Auth policy. Kong gateway append an "X-Consumer-Custom-ID" header for all valid request automatically, and upstream service check the "X-Consumer-Custom-ID" header to identify Consumer. Currently, our upstream service always trust the request from Kong gateway server IP, without any other authentication mechanism.

We want enhance security between our Kong gateway and upstream service, any suggestion?

[keskinege]

hi,

We are using Kong as Open API gateway for our partners, and enable HMAC-Auth policy. Kong gateway append an "X-Consumer-Custom-ID" header for all valid request automatically, and upstream service check the "X-Consumer-Custom-ID" header to identify Consumer. Currently, our upstream service always trust the request from Kong gateway server IP, without any other authentication mechanism.

We want enhance security between our Kong gateway and upstream service, any suggestion?

I think you will need another authentication method to the upstreams if you cannot control the vpc such as mtls or any authentication method they support.