Hi, looking for options on how to make a map service available to view through a publically accessible web app, but not have the data available to the public. It needs to be a map service with the query option available so tiles or basemaps will not work unfortunately. The app is a custom WAB map. I'm just looking for a way that people cannot access the rest end point, but the app has access to it.
The REST endpoint provides all the data. Any client which can emulate the client app's request protocol can get that data. You could harden the endpoint in front of the Web Adaptor's servlet engine, but it might not take a lot to engineer around that (especially if a concerted effort was made), and there might be a significant performance cost.
If you want to protect the back-end database, you might stage a publishing database (or FGDB folder), which is effectively read-only, in the DMZ to prevent the risk of tampering.
I'm afraid this might be a "Doctor, doctor, it hurts when I do this!"/"Don't do that." situation