How to Remove External Access to Process and System API Layers
Blog: BPM Blog Avio Consulting
By default all MuleSoft APIs deployed to CloudHub are exposed to external traffic. It is standard practice to protect them using SSL/TLS combined with an authentication policy such as client ID and secret, as well as any other required policies such as IP blocking. This level of security still exposes process and system layer APIs to external traffic, which could have adverse effects if invoked directly. Assuming an API-led connectivity approach, the process and system APIs should not be invoked directly from external clients.