Haal Centraal in practice: Sittard-Geleen as an example of a successful APISIX implementation

Through the Haal Centraal program from the Association of Dutch Municipalities (VNG), municipal systems can communicate directly with central institutions via various APIs. More and more often, data is no longer allowed to be stored locally. By using a single central source, the so-called “single source of truth,” all institutions work with the same up-to-date information.

As part of this program, the National Office for Identity Data (RvIG) requires municipalities to implement an API gateway. The gateway ensures that only authorized municipal employees can access (parts of) the RvIG API and that data security is guaranteed.

The municipality of Sittard-Geleen chose the APISIX gateway from Apache to meet RvIG requirements. APISIX is open source. This aligns with the Open Government Act, unlike closed alternatives such as Layer7, WSO2 or the enterprise version of Kong.

Full control with a dedicated Kubernetes Haven Cluster

A crucial element of this implementation is the use of a dedicated Kubernetes cluster, referred to as the Haven Cluster. This gives the municipality full control over its infrastructure so it can optimize the environment for its specific needs. By using Kubernetes, applications can be containerized and orchestrated, resulting in a flexible and scalable environment that is essential for handling fluctuating workloads of digital services.

Fast and secure connectivity through Microsoft Azure

To ensure fast and secure data transfer, the infrastructure is linked to a Microsoft Azure ExpressRoute. This private, direct connection between the municipality’s on-premises network and the Azure cloud offers lower latency and higher bandwidth compared to a public internet connection, which is crucial for service reliability.

In addition, the setup provides both physical internet access and access to Diginet services. Diginet is a closed government network used for secure communication between public institutions. This combination enables versatile connectivity and ensures secure communication with both citizens and other government bodies.

Security and risk mitigation

Security is an important focus point in this implementation. APISIX acts as a security layer that handles authentication and authorization, which removes the need to share sensitive credentials directly. This minimizes the risk of data breaches and unauthorized access and is essential for maintaining public trust in the municipality’s digital services.

Reliable software development with CI/CD

To ensure a streamlined and reliable rollout of updates and changes, the municipality uses a Continuous Delivery (CD) pipeline for managing version-controlled configurations. API configurations are automatically tested, built and deployed, which creates a consistent and dependable workflow.

An extra layer of security is provided by Mutual Transport Layer Security (mTLS). This enforces mutual authentication, where both the client and the server verify their identity before a connection is established. This protects against man-in-the-middle attacks and strengthens overall data security.

Connection to national services

Finally, the APISIX gateway is connected to the Haal Centraal Connector from WeAreFrank!. This intermediary layer ensures that existing XML interfaces can continue to function.

Through this structured approach, the municipality of Sittard-Geleen has created a robust, secure and scalable digital infrastructure that is ready for the future. Legacy applications can continue to run and the municipality can decide later whether they want to replace them. This kept the project scope smaller and contributed to a smooth APISIX implementation.

Would your municipality also like to connect securely and futureproof with the RvIG or other Haal Centraal services? WeAreFrank! helps municipalities with fast and secure APISIX implementations. Contact us and we will be happy to think along with you.