I have a backend API exposed to the internet by GCP's Google Cloud Endpoint (Extensible Service Proxy). Cloud Endpoint allows us to control which other backend services can access the API and block unauthorized requests.
Is it worth adding a WAF in front of Cloud Endpoint to further protect the API?
ESP is more for authorization and monitoring but does not provide the same functionality as a WAF. A WAF will protect you from attacks like SQL injection , well known Joomla , Wordpress , Apache vulnerabilities , etc.
It's seems like adding a WAF would be a good idea and improve your security posture.
Nobody needs a Web Application Firewall, because a well-designed API would not have vulnerabilities which can be exploited remotely. Unfortunately not all APIs are well-designed, and sometimes that's not even your fault, because you are relying on a 3rd party product. So the added complexity of setting up a WAF can be a part of a defense-in-depth strategy.
When you are using Googles Cloud Endpoints, then you can not really rely on Google doing filtering for you in the same way your own WAF would do it. So when you don't trust the security of your API enough to put it on the Internet directly without a WAF in front of it, then you shouldn't do it either when you expose it through Google.
