Jump to Content
API Management

Best practices for securing your applications and APIs using Apigee

October 18, 2021
Sai Saran Vaidyanathan

Technical Solutions Consultant

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

Enterprises across the globe are seeing surging demand for digital experiences from their customers, employees, and partners. For many of these enterprises, hundreds of business applications are hosted in private or public clouds that interact with their users (customers, partners, and employees) spread across geographies, channels (web, mobile, APIs, VPNs, and cloud services), and time zones. 

As a consequence of this surge in demand, enterprises are also experiencing increased pressure to fortify their technical infrastructure against cyber attacks. The number of reported cyber attacks on U.S. companies rose 69% in 2020 from the previous year, according to the Federal Bureau of Investigation. Web and API attacks cannot be prevented but can be mitigated—a recent study showed that 55% of organizations experience a DDoS attack at least every month. 

While many enterprises are accelerating digital transformation to build omnichannel experiences, they need to keep security and privacy top of mind across all of these channels. This goal can only be supported by implementing a robust security architecture and organizational policy enforcement model that enables enterprises to prevent, detect, and react to newer threats, in near-real time. While it is easy to say, implementation of such a system can be extremely challenging. 

Best practices for securing your applications and APIs

To help organizations navigate these challenges, we recently published, “Best practices for securing your applications and APIs using Apigee,” which describes the best practices and approaches that can help companies secure their applications and APIs using Apigee API management, Google Cloud Armor, reCAPTCHA Enterprise, and Cloud CDN

These best practices include using Apigee as a proxy layer to protect backend APIs, Google Cloud Armor as a Web Application Firewall (WAF), Cloud CDN for caching, and comprehensive web app and API protection with the Google Cloud solution

Use Apigee as a proxy layer

In this pattern, Apigee is a facade layer that can secure and protect your backend APIs with its out-of -box capabilities.


Apigee offers a wide range of security features that can be applied consistently across all your APIs. It can be used to route the requests to different backends, which helps with your migration effort too. 

Use Google Cloud Armor as a WAF layer along with Apigee

To increase your security footprint, you could easily enable Google Cloud Armor along with Apigee. Google Cloud Armor provides web application firewall (WAF) capabilities and helps to prevent distributed denial of service (DDoS) attacks. It can also help you to mitigate the threat to applications from the risks listed in the OWASP Top 10. For more information on how to configure rules in Google Cloud Armor, see the Google Cloud Armor How-to guides or check out this blog post about Apigee and Google Cloud Armor.


Use Cloud CDN for caching

By using Cloud CDN: Content Delivery Network, you can use the Google global network to serve content closer to users, which accelerates response times for your websites and applications. Cloud CDN also offers caching capabilities to provide responses much faster. It helps you to secure the backend by returning the response from its cache and handling traffic spikes. It can also help to minimize web server load, compute, and network usage. To implement this architecture, you must enable Cloud CDN on the load balancer that’s serving the Apigee traffic. To learn more, check out this blog post.


Implement comprehensive Web App and API Protection (WAAP)

To further enhance your security profile, you can also use WAAP, which brings together Google Cloud Armor, reCAPTCHA Enterprise, and Apigee to help protect your system against DDoS attacks and bots. It also provides web application firewall (WAF) and API protection. 

We recommended WAAP for enterprise use cases where the API calls are made from a website or mobile applications. You can set applications to load the reCAPTCHA libraries to generate a reCAPTCHA token and send it along when they make a request. For more information on WAAP, check out this blog post or read this whitepaper.


Next steps

As more and more organizations get into and accelerate their digital transformation journey, systems and business channels will rely more on digital interactions, and the need for tightened levels of security and protection will continue to rise significantly. Building an architecture that can help your organizations deliver fast and efficiently with improved threat protection and visibility is of the utmost importance.  

Posted in