Skip to main content

Network and Security

Treat the proxy listener, admin listener, metrics endpoint, etcd, and managed Cloud connection as separate trust zones.

Network Surfaces

Use this map to decide what can be reachable from each network:

SurfaceWhat it carriesExposure
Proxy listenerCaller-facing AI traffic, such as /v1/chat/completionsIntended callers or the ingress tier
Admin listenerAdmin API, admin health, OpenAPI, and playgroundLoopback, private subnet, or admin-only network
Metrics listenerPrometheus metricsTrusted monitoring network
Configuration storeDynamic gateway resources in etcd for self-hosted deploymentsAISIX and configuration-management systems only
Managed Cloud connectionmTLS-authenticated gateway communication with the AISIX Cloud control planeOutbound mTLS path to AISIX Cloud control plane

Expose only the proxy listener to callers. Keep admin, metrics, OpenAPI, playground, and etcd on private networks. Metrics endpoints are unauthenticated and served on the dedicated metrics listener.

Use TLS or mTLS where network placement requires encrypted or mutually authenticated transport. If etcd TLS is enabled, the startup configuration must point to certificate files that the gateway process can read.

Binding Privileged Ports (80/443)

The AISIX container image runs as a non-root user (UID 10001) and grants the gateway binary the CAP_NET_BIND_SERVICE file capability — the same capability Kubernetes securityContext fields spell NET_BIND_SERVICE, without the CAP_ prefix — so listeners can bind privileged ports such as 80 and 443 without running the container as root. This works the same in plain Docker and in Kubernetes, including hostNetwork: true pods that expose the proxy directly on the node:

# Pod spec excerpt: proxy listener on node port 80 via host network
spec:
hostNetwork: true
containers:
- name: aisix
image: api7/aisix
# config mounts proxy.addr: "0.0.0.0:80"

NET_BIND_SERVICE is part of the default capability set of Docker and containerd, so no extra settings are needed in a default deployment. If your pod security context drops all capabilities, add NET_BIND_SERVICE back — otherwise the container fails at startup with exec: Operation not permitted: the binary carries the file capability with the effective bit set, so the kernel refuses to execute it when the capability cannot be granted, rather than running it without the capability:

securityContext:
capabilities:
drop: ["ALL"]
add: ["NET_BIND_SERVICE"]

This is compatible with the restricted Pod Security Standard, which permits adding back exactly NET_BIND_SERVICE. If you only need the gateway reachable on port 80 of the node rather than full host networking, a hostPort: 80 mapping to the container's regular proxy port avoids binding a privileged port inside the container.

Credential Boundaries

Caller API keys and upstream provider credentials have different storage and forwarding rules:

Credential or SecretHow AISIX Uses ItProtect
Caller API keyStored as a hash; plaintext is held by the calling applicationApplication secret storage and API key rotation workflow
Provider keyUsed to authenticate upstream provider requestsConfiguration store, admin access, and backups
Observability exporter credentialSent to or resolved for the configured telemetry destinationDynamic resource store and observability configuration access
Managed certificate bundleAuthenticates a managed gateway to AISIX CloudRuntime state directory, trust root, and managed bootstrap process

In self-hosted deployments, provider credentials can live in the configuration store. OTLP HTTP exporter headers can be stored in dynamic configuration; object-storage, Aliyun SLS, and Datadog exporters use credential references that the gateway resolves locally. Treat etcd, backups, and the admin API access path as secret-bearing surfaces. In managed deployments, AISIX Cloud controls provider-key handling and projects runtime configuration into the managed gateway.

AISIX authenticates callers with caller API keys and authenticates upstream requests with provider credentials. Passthrough strips sensitive inbound headers by default. Provider-key strip settings can affect what is forwarded, so keep credential-bearing headers such as authorization, cookie, and x-api-key stripped unless a specific upstream integration requires otherwise.

Security Baseline

Confirm these controls before routing production traffic:

  • The proxy listener is reachable only from intended callers or ingress.
  • The admin listener is private in self-hosted deployments.
  • Metrics endpoints are private.
  • etcd is private, persistent, backed up, and access-controlled in self-hosted deployments.
  • Provider-key secrets and exporter credentials are treated as sensitive operational data.
  • Listener TLS, etcd TLS, or managed mTLS is configured where the deployment requires encrypted or mutually authenticated transport.
  • Managed gateway identity is validated through the certificate-based bootstrap path.
  • Backups and observability pipelines do not expose dynamic resource payloads or provider credentials.

Next Steps

You have now seen the network and credential boundaries to protect before exposing AISIX. Continue with TLS and mTLS for transport security.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation