...
API gateways such as Kong have emerged as a useful technology for exposing and controlling service endpoint access for applications and services. When a Control Loop Type is onboarded, or when Control Loop Instances are created, CLAMP can configure service endpoints between Control Loop Elements to redirect through an API Gateway.
Authentication and access-control rules can then be dynamically configured at the API gateway to support constrained access between Control Loop Elements and Control Loop Instances.
The diagram below shows the approach for configuring API Gateway access at Control Loop Instance and Control Loop Element level.
...
At runtime, the CLAMP can configure the API gateway to enable (or deny) interactions between Control Loop Instances and individually for each Control Loop Element. All service-level interactions in/out of a Control Loop Element, except that to/from the API Gateway, can be blocked by networking policies, thus sandboxing a Control Loop Element and an entire Control Loop Instance if desired.
Once the Control Loop instance is instantiated on participants, the participants configure the API gateway with the Control Loop Instance level configuration and with the specific configuration for their Control Loop Element. Therefore, a Control Loop Element will only have access to the APIs that are available over the configured API gateway.
...