I have an internally hosted REST API (written in .Net Core, WebAPI).
I have successfully managed to set this up with Tyk API management in Auth Token mode.
This allows external callers to access the API outside of the local network.
But... obviously on the internal network, the API is completely open. I would prefer some way to secure this, but other than blocking access to calls to anything other than the Tyk API Management server, I have drawn a blank.
What would be the best way to achieve this?
You can achieve it in three ways using Tyk API gateway, and all of them will require putting some small proxy logic on top of your app (like nginx) or to your application logic directly.
First of all, you can require some internal secret to be provided in URL or Header, and configure Tyk to send it with each request.
The second option is to configure Mutual TLS setup, where your API will require some specific white-listed client certificate, and you will configure Tyk to sing all requests with given certificate as well.
The third option is not really related to Tyk, you can just put firewall behind your API and whitelist Tyk IPs.
Hope it helps!