According to the architecture of WSO2 API Cloud, all API calls that go out to your backend services from WSO2 API Cloud go through the Cloud's API Gateway. The API Gateway handles user requests, user authentication via OAuth, enforces security policies etc.
In order to connect to your backend services from the API Cloud, the API Gateway should connect to your backend services.
If your backend services are exposed to the Internet (e.g., hosted in WSO2 App Cloud or another cloud platform), then the API Gateway can connect to them via their Internet URLs. If your backend services are private to your Intranet, WSO2 supports the following methods to set up the connectivity from the API Gateway to your backend services.
- Using a reverse proxy in your DMZ. The API Gateway then connects to the publicly visible reverse proxy, which in turn passes the calls to the backend service.
- Using a VPN link between the API Cloud and your Intranet.
See Expose your On-Premises Backend Services to the API Cloud for details.
If you choose to grant access to your private backend services through a reverse proxy or a VPN, it is highly recommended to Secure your Backend Services as your private backend services will be exposed to a multi-tenanted Cloud environment.