0

There are 2 sets of API each hosted in 2 different organisations: my client's organisation and her partner's organisation. The servers from the 2 organisations communicate between each other through the APIs hosted in each organisations.

The APIs are already using HTTPS protocol and authenticated using an API key. For my client's case, her servers are on AWS and I have a firewall to only accept her partner's IP.

Since the APIs are already using HTTPS, I would assume that the data transmitted are already encrypted. However, my client has requested that I use an IPsec VPN between the servers.

I'm not sure if I'm missing something here. Since the data transmitted between my client's server and her partner's server through the APIs are already encrypted through HTTPS, is having IPsec still necessary?

xenon
  • 355
  • 3
  • 7
  • See also [What does using a VPN offers over HTTPS + DoH in terms of protection?](https://security.stackexchange.com/questions/243584/what-does-using-a-vpn-offers-over-https-doh-in-terms-of-protection) and [Is there any good security reason to add a VPN tunnel to encapsulate an existing HTTPS traffic between an IoT device and a web server?](https://security.stackexchange.com/questions/244252/is-there-any-good-security-reason-to-add-a-vpn-tunnel-to-encapsulate-an-existing) – Sjoerd Feb 24 '21 at 08:28
  • @xenon: I don't see how this question differs from existing ones. Especially [Is there any good security reason to add a VPN tunnel to encapsulate an existing HTTPS traffic between an IoT device and a web server?](https://security.stackexchange.com/questions/244252/is-there-any-good-security-reason-to-add-a-vpn-tunnel-to-encapsulate-an-existing) looks like it basically asking the same. If you find a specific aspect which is not covered yet please point this out and maybe focus on this detail. – Steffen Ullrich Feb 24 '21 at 09:08

1 Answers1

1

Not for confidentiality, but possibly for access control. Servers that don't need to be publicly accessible are often placed "behind a VPN". This way, they are only reachable by authorised parties.

Whether this improves security is not always clear. A VPN can also have vulnerabilities, so replacing your API authentication endpoint with a VPN authentication endpoint does not seem to make much of a difference.

Perhaps client certificates or IP whitelisting is more suitable in your case.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102