Application Security
Application security includes configuring web applications and gateways.
MATRIXX Engine must be deployed within a secure area of your network. Think of MATRIXX Engine as a black box server with limited access points for event processing, business support systems, maintenance, and monitoring.
The Gateway Proxy restricts which applications, services, and IP addresses can communicate with MATRIXX Engine. It is located between provisioning and self-care systems and MATRIXX Engine and uses Linux firewall rules to enforce access restrictions. This prevents unauthorized services from communicating with the engine.
The Business API Gateway should be in Zone 4 so that it is separate from MATRIXX Engine and not directly exposed to the internet like the web services in Zone 3.
My MATRIXX
In cloud native environments, you install My MATRIXX as a separate pod with its own Docker image. You can deploy it on the same nodes as the Gateway Proxy pods or on remote nodes that communicate through the Gateway Proxy to MATRIXX Engine. MATRIXX Support recommends that you deploy My MATRIXX separately from the Business API Gateway pods, because the tool is a design-time environment for creating configuration files to deploy to the runtime MATRIXX Engine. This ensures the separation of responsibilities between design-time and runtime systems. For example, the nodes can be located within Zone 1 as the service provider internal network, along with other non-network IT systems.
For information about user authentication, see the discussion about configuring and customizing My MATRIXX authentication. For information about enabling OAuth 2.0, see the discussion about OAuth 2.0 identity and access management.