Installation and Infrastructure Decisions
Kubernetes and MongoDB Installation
Will applications such as Kubernetes Cluster and MongoDB that Apinizer needs be installed or are they already available and will be used?
Will applications such as Kubernetes Cluster and MongoDB that Apinizer needs be installed or are they already available and will be used?
Our Recommendations
- Using these components if they are already available in your organization
- Preparing them by your team if installation will be done
- Having installation done by the Apinizer team if installation will be done
- If installation will be done by the Apinizer team, the relevant servers must have access to the accesses in the Access and Port Requirements for Installation page
If installation will be done, will your organization's employees do it or will servers be allocated to the Apinizer team?
If installation will be done, will your organization's employees do it or will servers be allocated to the Apinizer team?
If installation will be done by the Apinizer team, will internet access on the servers be restricted or full?
If installation will be done by the Apinizer team, will internet access on the servers be restricted or full?
Network and Security Decisions
Network Security
Is there a product other than WAF and firewall that controls the network where Apinizer will be installed and performs security hardening?
Is there a product other than WAF and firewall that controls the network where Apinizer will be installed and performs security hardening?
Is there a usage in the 10.244.x.x block in the network where Apinizer will be installed?
Is there a usage in the 10.244.x.x block in the network where Apinizer will be installed?
Port and DNS Decisions
Port Configuration
Which ports should Apinizer publish on the servers where it is located?
Which ports should Apinizer publish on the servers where it is located?
Our Recommendations
- From the 30000-32767 range, 32080 for Manager, 30080 or 30090 for worker
- At ports to be set under the management of your organization’s DevOps Team (again from the same range or using nginx ingress)
Will the DNSs that Apinizer will access be automatically resolved on the servers where Apinizer will be located? If not, are these IP-host definitions ready as available?
Will the DNSs that Apinizer will access be automatically resolved on the servers where Apinizer will be located? If not, are these IP-host definitions ready as available?
Our Recommendations
- Setting servers to automatically resolve these addresses, as they can change even very rarely
- Preparing hostname-IP pairs as a list to be added to Apinizer
Will Apinizer interface and workers be used via DNS? If yes, what will the DNSs be?
Will Apinizer interface and workers be used via DNS? If yes, what will the DNSs be?
Our Recommendations
- Addresses such as
apimanagement.organization.comandapi.organization.com
SSL and NAT Decisions
SSL Termination
Where will SSL termination be done?
Where will SSL termination be done?
Our Recommendations
- On your organization’s firewall
- In the application where your organization performs DNS routing and load balancing
- On Apinizer worker applications
If Apinizer will be used outside your organization, which IP will it exit from? Have the necessary (NAT) operations been performed for Apinizer servers to exit from this address?
If Apinizer will be used outside your organization, which IP will it exit from? Have the necessary (NAT) operations been performed for Apinizer servers to exit from this address?
Our Recommendations
- Not changing your organization’s existing exit, Apinizer also exiting from this address
Worker and Kubernetes Management
Worker Configuration
How will Apinizer's worker application (Core and RAM usage, JVM parameters) be configured?
How will Apinizer's worker application (Core and RAM usage, JVM parameters) be configured?
Our Recommendations
- Dividing your existing license into two or three and entering appropriate JVM parameters and distributing to multiple containers
- With different settings according to your organization’s applied policy
How will Kubernetes systems where Apinizer will be installed be managed?
How will Kubernetes systems where Apinizer will be installed be managed?
Our Recommendations
- From the Apinizer interface
- With methods belonging to your organization
Logging and Backup Decisions
Traffic Logs
Where should traffic logs be written?
Where should traffic logs be written?
Our Recommendations
- To one of the servers allocated with Elasticsearch that Apinizer will install
- To another application set up by your organization
If traffic logs are in Elasticsearch managed by Apinizer, how will the backup of data here be taken?
If traffic logs are in Elasticsearch managed by Apinizer, how will the backup of data here be taken?
Our Recommendations
- Your organization’s System team employees will backup the disk where logs are written as is
- Your organization’s System team employees will backup the server where logs are located as is
- Requesting to be sent to a specific address on a specific server with snapshot policy and logs will be backed up here
Are there sensitive information that should not appear in traffic logs? If yes, what are they? In which parts of the message should they not appear?
Are there sensitive information that should not appear in traffic logs? If yes, what are they? In which parts of the message should they not appear?
Our Recommendations
- Organization policy can be requested from your organization’s Information Security Team
- Key values containing personal data such as Tckn and TcKimlikNo
Where should application and token retrieval logs (if settings are active) be written?
Where should application and token retrieval logs (if settings are active) be written?
Our Recommendations
- To Apinizer’s configuration database
- To another application set up by your organization
How will the growth of logs to be stored in the database be kept under control?
How will the growth of logs to be stored in the database be kept under control?
Our Recommendations
- These logs will be deleted at certain intervals
- Disk will be expanded as it fills up
User Management and Support Decisions
User Management
Will the admin user account created with the first installation be used for the Apinizer interface? If yes, who will use it?
Will the admin user account created with the first installation be used for the Apinizer interface? If yes, who will use it?
Our Recommendations
- Your Integration Unit employees using Apinizer if available, creating their own authorized user accounts for people who will use it, disabling the admin account
- The admin user being used by a single person responsible for Apinizer, defining new users for other people who will use it
Will user management accessing the Apinizer interface be managed entirely from Apinizer or will password verification be done with LDAP/Active Directory?
Will user management accessing the Apinizer interface be managed entirely from Apinizer or will password verification be done with LDAP/Active Directory?
Our Recommendations
- Users should always be defined in Apinizer, but password verification should be done by defining your organization’s LDAP/AD application to Apinizer and opening a user or service account with permission to verify users who will connect
- Users being managed entirely from Apinizer
How will the Apinizer support team provide support to your team using Apinizer, to the Apinizer application, and optionally to the servers where Apinizer is installed?
How will the Apinizer support team provide support to your team using Apinizer, to the Apinizer application, and optionally to the servers where Apinizer is installed?
Our Recommendations
- Defining VPN and giving permission only to Apinizer servers and Apinizer interface
- With applications that provide remote access such as Anydesk, Team Viewer
- With meeting applications that allow remote access such as Zoom, Cisco Webex, Microsoft Teams, Skype
- With meeting applications such as Whereby, Turkcell Bip Meet
- By mail, phone and physically as a guest to the organization when necessary
Decision Making Checklist
You need to make decisions on the following topics before installation:Infrastructure
- Kubernetes and MongoDB installation method
- Internet access status
- Server allocation
Network and Security
- WAF and firewall products
- IP block usage (10.244.x.x)
- SSL termination point
Port and DNS
- Port configuration
- DNS resolution method
- DNS addresses
Logging
- Traffic log destination
- Backup strategy
- Sensitive information protection
User Management
- Admin account usage
- LDAP/AD integration
- User management method
Support
- Support access method
- VPN configuration
- Remote access tools