How to build secure APIs for on-prem databases

Many businesses still rely on on-premise databases, like MySQL, SQL Server, or Oracle, to run critical operations. However, when these systems are behind firewalls, they can feel isolated, making it challenging to integrate with cloud apps for order processing, inventory synchronization, or analytics.

Traditional workarounds, such as IP whitelisting or VPN tunnels, introduce risk, complexity, and overhead.

To securely access on-premise data without changing network architecture, use the Celigo on-premise agent to establish an outbound-only connection from your private environment to Celigo.

Together with API Builder, you can then publish that data as a token-authenticated RESTful API, giving you complete control over access and governance.

Watch the demo

Here, we’ll use the on-premise agent with API Builder to expose a private MySQL database as a secure, token-authenticated API, without opening firewall ports.

This creates a fast, low-risk way to modernize legacy systems and connect them with cloud applications, without disrupting existing operations.

Use Case

ACME Chocolatiers

ACME Chocolatiers needed to make its on-premise product catalog accessible to cloud-based systems, without disrupting existing infrastructure.

Using API Builder and the on-premise agent, the team:

• Connected the MySQL database securely through the outbound agent.
• Created a RESTful API endpoint to retrieve product records.
• Tested the connection using Postman and token-based authentication.
• Enabled cloud-based systems to fetch product data via a secure API.

This approach provided ACME with a modern, maintainable way to unlock internal data, requiring no firewall changes, no VPN setup, and no added security risk.

When to use an on-premise agent

Some systems you need to integrate with aren’t accessible over the public internet, due to firewall rules, local hosting, or security requirements.

In these cases, the on-premise agent provides a secure alternative to IP whitelisting or VPN tunnels. It establishes an outbound connection from your private network to integrator.io, allowing secure access to internal systems.

The agent supports a wide range of systems, including:

• SQL databases (MySQL, SQL Server, Oracle, PostgreSQL)
• NoSQL and document databases (MongoDB, DynamoDB)
• HTTP-based applications

This makes it a practical solution for hybrid and legacy environments.

→ Read more about the on-premise agent

Secure API access to on-prem data

If you’re working with systems that can’t be exposed to the cloud but still need to be part of your automation strategy, the On-Premise Agent provides a secure, efficient path forward.

By combining API Builder with the agent, you can:

• Expose internal data as governed APIs.
• Extend the life of legacy systems.
• Meet integration needs without changing security architecture.

For teams in hybrid environments, this enables modernization without requiring a full rebuild.

Unified API management

With Celigo’s API Management, you can build, design, secure, socialize, and monitor APIs, all from one unified platform. Publish APIs directly from API Builder to API Management with a single click.

Celigo’s all-in-one approach empowers both IT and business teams with:

• Intuitive policy controls – configure authentication, quotas, and rate limits without writing code.

• Real-time monitoring – track usage, performance, and errors across APIs in a single dashboard.

• Advanced governance features – enforce versioning, manage subscriptions, and maintain audit trails.

• Developer portal support – Provide external and internal users with self-service access to documented APIs.

• Token-based security – safeguard APIs with OAuth 2.0, JWT, and other industry standards.

This unified model enables organizations to scale API programs faster, with stronger compliance and lower operational risk.

By combining integration with full lifecycle API management, Celigo makes every integration flow reusable as an API, helping teams extend automation while maintaining security, compliance, and access control.