Gatekeeper

Provide an additional layer of security and reduce the attack surface, by using a dedicated host instance that acts as a broker between clients and the application services, to validate requests and passes data between them 

When to use this pattern?  

1. Applications that handle sensitive information.

2. Distributed applications where it’s necessary to perform request.

3. validation separately from the main tasks. 

Use APIM: To protect the underlying services by its policy like URL masking, and additional header information filtering.

Use App Gateway in front of the APIM to prevent common attacks like Cross Side Scripting, SQL injection.

Use the V-Net integration to accept the traffic only from a specific source (v-net).

Considerations  

• Backend services exposes only internal protected endpoints.  

• Gatekeeper must run in a limited privileged mode.

• No business logic in Gatekeeper. 

• SSL Offloading  to encrypt the traffic.

• Latency - Should accept some latency.

• Single Point of failure. To overcome this, use multiple instances of APIM either in the same region or in the other regions.