I have two apps. One of them talks to the world, but needs some data from an internal API we host elsewhere (on heroku).
I was thinking about security. Currently, we have token authorization working - but we can do better. Since the scope of the app is entirely internal there is no reason we would want to unnecessarily expose the API to the internet, even though authentication is already in place.
If it wasn't on heroku I could whitelist the IP of the other server on the API server and be done with it. That would reduce my attack surface significantly. However, I understand that heroku does not allow us to manipulate ip tables, and worse yet - dynos aren't guaranteed to have static IPs. However, I do have domains for each of these heroku instances.
Is there a good way to ensure that my API server can ONLY talk to the other heroku apps in my account? Or am I stuck moving the api server to a dedicated VPS?
