Tyk deployment, Scaling and Security on AWS


Initiative: Gonna use Tyk at production level. We are considering, how to scale and security.

Q1. We prefer to use FILES to config API definition and Policies and thought it is better to handle deployment and management comparing with GUI. Any thoughts ?

Take away MongoDB
Q1. What is the responsibility on MongoDB and Redis in Tyk ? MongoDB for Analytic only ?

Q2. Is API keys and Organization stored in Redis / MongoDB ? Can we use Advanced API like /admin/organisations/ if we disabled MongoDB

Q3. How to config if we want to disable MongoDB ? Remove mongo_url from dashboard_config ? remove enable_analytics from gateway config

Q4. So Dashboard service only for Advanced API after we disabled MongoDB and API defined via FILES ?

Q5. Beside mongoDB and CSV, any method we can stream analytic data to statsd / datadog ? Assuming we use FILE based API definition.

Q1. API key and Oauth key are created via Gateway with a SECERT. When Gateway is supposed open to public ( Dashboard can be Internal only) and seems it is not very secure once hacker brute-force the SECRET and they can create KEY as they want. Any thoughts

Q2. Is a possible to config tyk.conf > secret and tyk_analytics.confg > admin_secret using Environment variables instead of hard code in conf ?


Completely up to you, some people don;t like the dashboard or using a DUI

MongoDB stores analytics and all the advanced metadata, if you are using file-based and don;t want analytics, then you can remove it

Redis, and if you use Advanced API then you need MongoDB

Disable analytics and use file based config, also policy source must be files too, this is in the docs

No mongo, no dashboard or advanced API

Take a look at Tyk Pump

You can move the admin API domain away from the gateway as a setting in the tyk.conf



The Setup that I support is on AWS with Elastic Beanstalk ( Docker ) where Dashboard and Gateway are on environments that are separated.
That gives the flexibility to scale as per needs ( CPU / NW throughput etc )
Dashboard is only accessible within the VPC.
In our setup, a gateway helper application ( running on SSL in a different port on the Gateway servers) is in charge of delivering the auth token to requesting applications and it validates the client with its ID and secret before generating the token. This application also has webhooks for email notifications like quota exceed / ratelimit exceed and few other things.