| |

Bridging the Gap: Secure API Communication via Layer7 Gateway in .NET

Bydjones
Bridging the Gap: Secure API Communication via Layer7 Gateway in .NET — Demaro Jones

In the corporate world — especially in investment and finance — security isn’t just a feature; it’s the foundation. We often work with on-premise servers that have zero direct access to the public internet.

When our C# applications need to talk to an external vendor like Bloomberg or Clearwater, we can’t just reach out and grab the data. Instead, we use a middleman: the Broadcom Layer7 API Gateway.

Today I’m breaking down how we handle a double-handshake security model:

  1. On-Prem to Layer7 — Authenticated via an x509 Certificate (mTLS)
  2. Layer7 to External API — Authenticated via an API Key
Section 01

The Architecture: Secure Request Flow

Before we look at the code, let’s look at the chain of trust. Your app doesn’t know the external API key, and the external API doesn’t know your internal certificate. Layer7 acts as the secure bridge between two worlds that never need to meet directly.

// chain of trust — request flow
On-Prem
C# .NET App
Knows: x509 cert
Doesn’t know: API key
mTLS
x509 cert
Gateway
Layer7
API Gateway
Validates cert
Injects API key
API Key
injected
External
Bloomberg /
Clearwater API
Knows: API key
Doesn’t know: cert
Security Principle
Your application never handles the real API key. If your on-prem server is ever compromised, the attacker has an internal certificate — not the credentials for your Bloomberg or Clearwater subscription. The two trust domains are completely separate.
Section 02

The Implementation: x509 in C# .NET

To talk to Layer7, we use Mutual TLS (mTLS). This means your C# code must present a certificate that the Gateway trusts. Here is a production-grade pattern using HttpClient and HttpClientHandler.

Step 1 — Loading the Certificate

First, pull your certificate from the local machine store. In a corporate environment, this is usually pre-installed in the My (Personal) store for the Service Account running the application.

CertificateHelper.cs C# 
using System.Security.Cryptography.X509Certificates;

public X509Certificate2 GetClientCertificate(string thumbprint)
{
    using var store = new X509Store(StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);

    // Find the cert by thumbprint to ensure you have the exact one issued for Layer7
    var certs = store.Certificates.Find(
        X509FindType.FindByThumbprint,
        thumbprint,
        false
    );

    if (certs.Count == 0)
        throw new Exception("Certificate not found. Check your On-Prem store.");

    return certs[0];
}
Environment Note
In most enterprise environments the certificate is installed by your infrastructure team under the Service Account’s personal store. You’ll need the thumbprint — find it in the Windows Certificate Manager (certmgr.msc) or request it from whoever issued the cert.

Step 2 — Configuring the HttpClient with mTLS

Standard HttpClient won’t work here. You need to attach an HttpClientHandler that carries the certificate on every outbound request to the Gateway.

GatewayClient.cs C# 
public async Task<string> CallGatewayAsync()
{
    var cert = GetClientCertificate("YOUR_CERT_THUMBPRINT_HERE");

    var handler = new HttpClientHandler();
    handler.ClientCertificates.Add(cert);
    handler.ClientCertificateOptions = ClientCertificateOption.Manual;

    using var client = new HttpClient(handler);

    // The URL is your internal Layer7 endpoint, NOT the external vendor URL
    var gatewayUrl = "https://internal-gateway.yourcompany.com/v1/investment-data";

    try
    {
        var response = await client.GetAsync(gatewayUrl);
        response.EnsureSuccessStatusCode();
        return await response.Content.ReadAsStringAsync();
    }
    catch (HttpRequestException ex)
    {
        // In on-prem finance, logging is vital for reconciliation audits
        Console.WriteLine($"Gateway Error: {ex.Message}");
        throw;
    }
}
Production Consideration
Avoid instantiating HttpClient inside a method in long-running services — it can exhaust socket connections under load. In ASP.NET Core apps, inject IHttpClientFactory and configure the certificate in your DI setup via AddHttpClient.
Section 03

Why This Pattern Matters for Finance

This isn’t just a clever architecture exercise. Each of these properties directly addresses real operational risks in investment and finance environments.

01
Security Isolation
The .NET application never handles the real API key. If your on-prem server is ever compromised, the attacker only has an internal certificate — not the credentials for your Bloomberg or Clearwater subscription. The two trust domains are completely separate.
02
Auditability
Layer7 logs every request that passes through it. If a reconciliation fails between your system and Clearwater, you can check the Gateway logs to see exactly what was sent and received — timestamps included. This is invaluable when finance teams are tracing discrepancies.
03
Migration Readiness
Since your app calls a Gateway URL rather than a hardcoded vendor URL, moving to AWS becomes much cleaner. You can point the app at an AWS API Gateway or a PrivateLink endpoint without touching the application code. The abstraction layer pays forward.
C# .NET mTLS API Security Layer7 x509 Fintech Engineering Bloomberg Clearwater

Leave a Reply

Your email address will not be published. Required fields are marked *