Network Gateway Enforcement
Implement FGA policies at the network layer with API protection, web application filtering, and response modification
Network Gateway Enforcement
Network Gateway Enforcement provides FGA policy enforcement at the network perimeter, protecting APIs and web applications without requiring any changes to your existing application code.
Architecture Overview
graph LR
U[User] --> GW[Authonomy Gateway]
GW --> APP1[Web App]
GW --> APP2[API Service]
GW --> APP3[Legacy System]
GW <--> FGA[FGA Policy Engine]
GW <--> IDP[Identity Provider]
FGA --> AUDIT[Audit Logs]The gateway sits between users and your applications, evaluating every request against FGA policies before forwarding authorized requests to backend systems.
Core Capabilities
🛡️ API Endpoint Protection
Authorize API calls based on fine-grained policies:
# Example API protection policy
policies:
- resource: "GET /api/customers/{id}"
condition: "user.role == 'admin' or customer.id == user.customer_id"
- resource: "POST /api/orders"
condition: "user.department == 'sales' and customer.status == 'active'"
- resource: "DELETE /api/users/{id}"
condition: "user.role == 'admin' and target_user.department == user.department"🖥️ Web Application Filtering
Control access to web pages and static resources:
# Page-level authorization
web_policies:
- path: "/admin/*"
condition: "user.role in ['admin', 'super_admin']"
- path: "/reports/financial/*"
condition: "user.permissions.includes('view_financial_reports')"
- path: "/customer/{id}/*"
condition: "user.customer_id == path.customer_id or user.role == 'support'"🔄 Dynamic Response Modification
Filter sensitive data from API responses based on user permissions:
# Response filtering rules
response_filters:
- endpoint: "/api/customer/profile"
filter_rules:
- field: "ssn"
condition: "user.role != 'admin'"
action: "remove"
- field: "payment_info"
condition: "user.department != 'billing'"
action: "mask"
replacement: "****"Deployment Patterns
🔄 Reverse Proxy Deployment
Deploy as a reverse proxy in front of existing infrastructure:
# nginx configuration example
upstream backend {
server app1.internal:8080;
server app2.internal:8080;
}
server {
listen 443 ssl;
location / {
# Route through Authonomy Gateway
proxy_pass http://authonomy-gateway:8081;
proxy_set_header X-Backend-URL http://backend;
# Pass user context
proxy_set_header X-User-Token $http_authorization;
proxy_set_header X-Real-IP $remote_addr;
}
}☁️ Cloud Gateway Integration
Integrate with cloud-native API gateways:
# AWS API Gateway with Lambda authorizer
Resources:
AuthonomyAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
RestApiId: !Ref MyApi
Type: TOKEN
AuthorizerUri: !GetAtt AuthonomyFunction.Arn
AuthorizerCredentials: !GetAtt AuthorizerRole.Arn
ProtectedEndpoint:
Type: AWS::ApiGateway::Method
Properties:
RestApiId: !Ref MyApi
ResourceId: !Ref MyResource
HttpMethod: GET
AuthorizationType: CUSTOM
AuthorizerId: !Ref AuthonomyAuthorizer🏗️ Service Mesh Integration
Deploy as Envoy sidecar in Istio/Consul Connect:
# Istio EnvoyFilter configuration
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: authonomy-filter
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: authonomy-authz-serviceConfiguration & Setup
🚀 Quick Start Configuration
# authonomy-gateway.yml
gateway:
listen_port: 8081
upstream_timeout: 30s
# Identity integration
identity:
provider: "oidc"
issuer: "https://your-idp.com"
audience: "your-app"
# Policy configuration
policies:
policy_set: "production_v1"
refresh_interval: "30s"
cache_size: 10000
# Logging and monitoring
audit:
enabled: true
destination: "stdout"
level: "info"🔧 Advanced Configuration
# Production-grade configuration
gateway:
# High availability
cluster:
nodes: 3
coordination: "consul"
health_check_interval: "10s"
# Performance optimization
performance:
policy_cache_ttl: "5m"
connection_pool_size: 100
request_timeout: "10s"
# Security hardening
security:
tls_min_version: "1.3"
hsts_header: true
request_size_limit: "10MB"
rate_limiting:
requests_per_second: 1000
burst_size: 100Protocol Support
🌐 HTTP/HTTPS APIs
Complete REST API protection:
- Method-specific policies: Different rules for GET vs. POST
- Path parameter extraction: Use URL parameters in policy decisions
- Header-based authorization: Include request headers in policy context
- Query parameter filtering: Control access based on query parameters
📡 GraphQL APIs
Field-level authorization for GraphQL:
# GraphQL field protection
graphql_policies:
- query: "User.email"
condition: "user.id == target_user.id or user.role == 'admin'"
- mutation: "deleteCustomer"
condition: "user.role == 'admin' and customer.status != 'active'"
- subscription: "orderUpdates"
condition: "user.customer_id == order.customer_id"🔌 WebSocket Connections
Authorize persistent connections and messages:
# WebSocket authorization
websocket_policies:
connection:
condition: "user.role in ['support', 'admin']"
message_types:
- type: "customer_update"
condition: "user.assigned_customers.includes(message.customer_id)"
- type: "system_alert"
condition: "user.role == 'admin'"Response Filtering & Data Protection
🎭 Dynamic Data Masking
Automatically mask sensitive data based on user permissions:
# Response masking configuration
response_masks:
- api_pattern: "/api/customers/*"
fields:
- name: "credit_card_number"
condition: "user.role != 'billing_admin'"
mask_type: "partial" # Shows last 4 digits
- name: "social_security_number"
condition: "user.role != 'hr_admin'"
mask_type: "full" # Completely hidden
- name: "salary_info"
condition: "user.department != 'hr'"
mask_type: "remove" # Field removed from response📋 Field-Level Filtering
Remove sensitive fields entirely:
// Original API response
{
"customer_id": "12345",
"name": "John Doe",
"email": "john@company.com",
"credit_score": 750,
"ssn": "123-45-6789"
}
// Filtered response for sales role
{
"customer_id": "12345",
"name": "John Doe",
"email": "john@company.com"
}Performance & Optimization
⚡ Policy Caching
Optimize performance with intelligent caching:
- Decision caching: Cache authorization decisions for repeated requests
- Policy caching: Cache compiled policies for fast evaluation
- User context caching: Cache user attributes and roles
- Negative caching: Cache deny decisions to prevent repeated expensive evaluations
📊 Performance Monitoring
Track gateway performance metrics:
# Performance benchmarks
gateway_performance:
decision_latency:
target_p50: "< 5ms"
target_p95: "< 25ms"
target_p99: "< 50ms"
throughput:
target_rps: "> 10,000"
max_concurrent: "> 1,000"
cache_efficiency:
hit_rate: "> 90%"
eviction_rate: "< 5%"Security Considerations
🔐 Gateway Security
Protect the authorization gateway itself:
- TLS termination: Handle encryption/decryption securely
- Certificate management: Automated cert rotation and validation
- Rate limiting: Prevent authorization DoS attacks
- Request validation: Sanitize and validate all incoming requests
🕵️ Audit & Monitoring
Comprehensive logging for security and compliance:
{
"timestamp": "2024-01-15T14:23:07Z",
"request_id": "req_abc123",
"user_id": "alice@company.com",
"resource": "/api/customers/12345",
"action": "GET",
"decision": "ALLOW",
"policy_set": "production_v1.2",
"evaluation_time_ms": 12,
"client_ip": "192.168.1.100"
}Deployment Checklist
✅ Pre-Deployment
- Gateway infrastructure provisioned and configured
- TLS certificates installed and validated
- Policy sets deployed and tested in staging
- Identity provider integration configured
- Monitoring and alerting configured
✅ Production Deployment
- Shadow mode enabled and validated
- Gradual traffic routing (1% → 10% → 100%)
- Performance monitoring active
- Rollback procedures tested and ready
- On-call team briefed and ready
✅ Post-Deployment
- Performance metrics within acceptable ranges
- Authorization decisions matching expectations
- Error rates below threshold
- User experience unchanged
- Audit logging functioning correctly
Troubleshooting Guide
🚨 Common Issues
High Latency
- Check policy complexity and optimization
- Verify cache hit rates and configuration
- Review network connectivity to FGA service
- Consider policy pre-compilation
Policy Evaluation Errors
- Validate policy syntax and logic
- Check user context data availability
- Review FGA service connectivity
- Verify identity provider integration
Response Filtering Issues
- Test filter rules against sample responses
- Check field path expressions for nested data
- Validate mask/filter conditions
- Review API response format changes
Next Steps
- Set up Database Proxy Enforcement for data-layer protection
- Configure Library Integration for application-native authorization
- Review Synchronization strategies for multi-method deployments
Ready to deploy network gateway enforcement? Contact our deployment team for implementation assistance.