Figure 6. Application Communication
The front-end of an app communicates with the backend by issuing the following API call to the app backend running in docker, where api.json or api.xml in an API path provided by the application.
The vendordomain and appid are specific to the app and is defined in the app.json file.
The IP address of APIC IP is always 172.17.0.1 in relation to the docker. When the backend makes calls to the APIC, it uses the IP address 172.17.0.1.
The request is then forwarded to the docker instance where the app is running. The app returns a response which is then forwarded back to the front-end. The API URLs must be declared in the app.json file and only authenticated users can make the API call.
During the installation of an app, a user and role are created and then a certificate key pair is assigned to the user. When the app is installed, the private key is added to the docker image. The private key is located in the docker image in the directory /home/apps/credentials. Using the private key, the app then creates a session with NGINX for the user. Once the session is created, API calls can be made to retrieve the MIT information. Since the session was created for a user, the app is limited to access the information only available to the user and user is limited to the permission as defined in the app.json file.
Docker instances can be located on different APICs. It is not recommended to have communication between docker instances located on different APICs or the same APIC.
See Signing in to the APIC from the Application Using RBAC.