Security/Access Control of Subgraph's in Managed Federation


I’m trying to wrap my head around two seemingly conflicting concepts. I have a subgraph which has both a private and public part of its graph. I am trying to conflate the need for --routing-url in the schema publish step with the statement that “only your gateway should have access to your subgraphs”. To me those two requirements seem to be at odds with each other which makes me feel like I am missing something.

Do subgraph’s need to be accessible via HTTP by apollo studio? If so is there a method for securing that connection? If that is not required - how come i get the following error when trying to publish my subgraph’s schema?

  npx rover subgraph publish <GRAPH_ID>@current \
  --name stripe \
  --schema ./private-schema.gql \

error: URL must be provided when upserting a new service

Related Documentation

  • here is where it mentions that subgraphs should be secured and only accessible by the gateway

Hi, great question! It is true that your subgraphs should be accessible only by the gateway, and that Rover requires a subgraph’s --routing-url when you first register its schema. Although Rover pushes the URL to Studio as part of your schema publish, Studio does not use the URL to communicate with your subgraph.

Instead, Studio includes each subgraph’s --routing-url in the supergraph configuration that your gateway fetches from Apollo Uplink. This is how your gateway knows the URL for each subgraph in a managed federation architecture.

The advantage of this method is that you can add, remove, or change subgraph URLs without restarting your gateway. Your gateway will pick up the new configuration from Apollo Uplink and begin routing new operations accordingly.