ROMA Connect Security Best Practices

Secure Instance Access

1. When creating an instance, you need to select the VPC network to which the instance belongs. For details, see Preparing Resources.
2. After an instance is created, you can configure a whitelist for both public and private networks to ensure network security.
   1. To allow access from the private network, see "Private IP Address Access Control (Whitelist)" in Viewing Details of an Instance.
   2. To allow access from the public network, you need to configure the public and private IP address whitelist to allow trusted IP addresses. For details, see "Public IP Address Access Control (Whitelist)" in Viewing Details of an Instance.

Connectors (Composite Applications)

1. There are multiple types of triggers. The following uses OpenAPI, Kafka, and SQL Server as examples to describe the recommended connection modes.
   • OpenAPI: Set Security Authentication to App or IAM to secure API data. For details about the configuration, see OpenAPI.
   • Kafka: Set Authentication Mode to SSL and SASL to SCRAM-SHA-512 or SCRAM-SHA-256 to encrypt data transmission and prevent data leakage and tampering. For details about the configuration, see Kafka.
   • SQL Server: Set Connection and Security to Professional to secure data access using encrypted transmission channels, preventing data leakage and tampering. For details about the configuration, see SQL Server.
2. When creating an HTTP request connection, you are advised to set base_url to an HTTPS request address to ensure that the data transmission channel is encrypted and prevent data leakage or tampering. Set Security Authentication to App, Client Credentials, Basic Auth, or Secret to secure API permissions and prevent unauthorized users from accessing APIs. For details about the configuration, see HTTP Request.

Custom Variables (Composite Applications)

Orchestrating a composite application flow and configuring connectors and processors involve various inputs, outputs, and configurations, which can be referenced as variables when you edit and design a composite application to create efficiency.

When configuring a custom variable, if it contains sensitive information such as passwords, keys, or public and private keys, set the variable type to password to ensure it is encrypted during storage and protected against data leakage. For details about the configuration, see section "Custom Variables" in Referencing Variables.

API Opening (APIC)

1. Create an API.

   Set Protocol of URL to HTTPS and Authentication Mode in the security configuration to App or IAM to enable authorized data access and encrypt data transmission channels. For details about the configuration, see Creating an API.

2. Bind a domain name.

   When configuring the domain name for your API group, it is recommended to bind a domain name and select an SSL certificate. Additionally, configuring a CA certificate for HTTPS bidirectional authentication will enhance security by preventing unauthorized access to open APIs and encrypting the data channel to protect against data leakage or tampering. For details about the configuration, see Binding Domain Names.

3. Configure API control policies.

   APIs offer request throttling and access control features. After deploying an API, it is recommended to configure throttling based on service volume and set up an access whitelist for external services. For details about the configuration, see Configuring API Request Throttling and Configuring Access Control.

   Request throttling

   • High-precision, high-performance, and single-node throttling
   • API-specific/-sharing mode

   Access control

   • IP address, account ID, and account name supported
   • Data type whitelist/blacklist for API access