Effective CISSP Questions

API gateway and service mesh are two main architectural elements that ensure reliable, resilient, and secure communication in a microservices-based application. Which of the following is not a core feature of an API gateway? (Wentz QOTD)
A. Facilitate service-to-service communication.
B. Ensure a reasonable rate of requests.
C. Redirect requests from old clients to a new version of the service.
D. Avoid the possibility of a cascaded failure.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Facilitate service-to-service communication.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

API Gateway and Service Mesh
API Gateway and Service Mesh (Source: Liran Katz)

API gateways are implemented to facilitate communication across borders; they control north-south and east-west traffic. External or edge API gateways route inbound requests from clients to appropriate services; internal API gateways facilitate communication between various scopes of service meshes. A service mesh facilitates service-to-service communication within a specific scope.

An API gateway architecture can be monolithic or distributed.

In the monolithic API gateway architecture, there is only one API gateway that is typically deployed at the edge of the enterprise network (e.g., Demilitarized Zone (DMZ)) and provides all services to the API at the enterprise level.

In the distributed API gateway architecture, there are multiple instances of microgateways, which are deployed closer to microservice APIs. A microgateway is typically a low footprint, scriptable API gateway that can be used to define and enforce customized policies and is therefore suitable for microservices-based applications, which must be protected through service-specific security policies.

The microgateway is typically implemented as a stand-alone container using development platforms such as Node.js. It is different from a sidecar proxy of the service mesh architecture, which is implemented at the API endpoint itself.

Source: Source: NIST SP 800-204

Service Mesh

A service mesh is a dedicated infrastructure layer that facilitates service-to-service communication through service discovery, routing and internal load balancing, traffic configuration, encryption, authentication and authorization, metrics, and monitoring.

Service meshes create a small proxy server instance for each service within a microservices application. This specialized proxy car is sometimes called a “sidecar proxy” in service mesh parlance. The sidecar proxy forms the data plane, while the runtime operations needed for enforcing security (access control, communication-related) are enabled by injecting policies (e.g., access control policies) into the sidecar proxy from the control plane. This also provides the flexibility to dynamically change policies without modifying the microservices code.

Source: NIST SP 800-204

API Gateway

The primary function of the API gateway is to always route inbound requests to the correct down-stream services, optionally perform protocol translation (i.e., translation between web protocols, such as HTTP and WebSocket, and web-unfriendly protocols that are used internally, such as AMQP and Thrift binary RPC) and sometimes compose requests. In some rare instances, they are used as part of a Backend for Frontend (BFF), thus enabling support for clients with different form factors (e.g., browser, mobile device).

All requests from clients first go through the API gateway, which then routes requests to the appropriate microservice. The API gateway will often handle a request by invoking multiple microservices and aggregating the results.

Since the API gateway is the entry point for microservices, it should be equipped with the necessary infrastructure services (in addition to its main service of request shaping), such as service discovery, authentication and access control, load balancing, caching, providing custom APIs for each type of client, application-aware health checks, service monitoring, attack detection, attack response, security logging and monitoring and circuit breakers.

Source: NIST SP 800-204


API網關(gateway)和服務網格(service mesh)是兩個主要的架構元素,可確保在基於微服務的應用程序中進行可靠、有彈性和安全的通信。 以下哪一項不是 API 網關的核心特性? (Wentz QOTD)
A. 促進服務到服務的溝通。
B. 確保合理的請求(request)率。
C. 將來自舊客戶端的請求重定向到新版本的服務。
D. 避免級聯故障(cascaded failure)的可能性。

1 thought on “CISSP PRACTICE QUESTIONS – 20210823

  1. Pingback: 微服務-API 閘道器 – Choson資安大小事

Leave a Reply