I have setup the Secure Gateway to connect to my on premises DataPower and have exposed a local SOAP service. In the destination I have enabled User Authentication for mutual auth, and this is working well. In order to access the SOAP service the client must supply the cert. However this endpoint is still public, and I would prefer to restrict the network access to it for increased security.
I found this article: Creating IP table rules for a Bluemix app for Secure Gateway that shows how to implement this from a client such as NodeJS or WSL, however I want to restrict access to only API Connect in Bluemix. Thus I don't have the ability to lookup the IP address.
Is there an address range for the API Connect Gateway Clusters? I tried restricting the network to only the non-routable A/B/C networks but that closed off everything. Using mutual auth in the TLS Profile of APIC is working, but restricting the network would give us greater peice of mind.
This is not possible due to the nature of cloud-based solutions. IP addresses may change at any time, thus breaking the linkage.
Mutual TLS is an excellent solution and should provide robust security as long as your private keys are carefully protected.