I want to use the Google API gateway to add authentication for my APIs hosted in compute engine. I do not see any documentation to configure a managed instance group as the backend service for API gateway, how do I do that ?
Related
in my current existed environment we have aws alb with backend APIs in ECS fargate, now I want to integrate aws API gateway and Cognito with alb. but as per AWS docs, we can only use rest API type API gateway for Cognito integration, but again as per AWS docs with rest API gateway type we can't use alb and we can only use nlb but my APIs are configured with path-based routing in alb
if I replace my alb with nlb how can I achieve my path-based routing for the backend API's and is there any other way that I can use to configure Cognito, rest API and loadbalcners
as I said can I use alb behind new nlb target group
You can in fact use Cognito to secure HTTP APIs in API Gateway by configuring a JWT authorizer
This example CloudFormation template will help you get it configured.
I have a Django server running on an EC2 machine, which also serves the UI built by Vue.js. For authentication and user management-related stuff, I have introduced Cognito service. I am using Cognito hosted UI as well for login, sign up, etc. I am also using API Gateway to make sure the Django REST APIs cannot be accessed without authentication.
There are two Routes in my API Gateway:
/api/{x} this is for REST calls and that is getting authorized by Cognito using Bearer token.
A route with a wildcard for the rest of the UI-related URLs (those are not authorized).
Both the Routes are integrated with the Django server running on the EC2 machine.
Things are working perfectly when I invoke API Gateway URL. The Cognito integration is working like a gem. But the problem is: when I'm trying to access the Django server using the public IP of the EC2 machine. I can call the RESTs without authentication using the public IP.
This is where I am getting stuck. How to overcome this kind of scenario? How can I restrict access by public IP? Or, is there a better approach that I should follow?
I am very much new to AWS. Any suggestion from your end is welcome.
You could eliminate public access to your Django EC2 instance by restricting the web traffic in the EC2 security group attached to the EC2 instance. Then create a network load balancer in the same VPC as your instance and allow web traffic to your django instance from the subnets associated with the VPC via your security group.
Finally, create a VPC link for the API gateway which uses the newly created NLB as an endpoint. This would allow the API gateway to route requests inbound to the EC2 instance via the linked network load balancer (enforcing your Cognito authentication), while preventing internet traffic at large from reaching the the EC2 instance without being forwarded via API gateway.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
I'm having an Application Load Balancer and an API Gateway. I'm trying to enforce the flow in such a way that only the requests from API-Gateway is allowed to access my loadbalancer. Is there some way I could use AWS WAF to get it done?
API gateway supports so called Private Integrations which use VpcLink resource and NLB. With them you can:
expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
The docs also provide a tutorial how to use them:
Build an API with API Gateway Private Integration
I need to communicate elasticache(Redis engine) using AWS API gateway. I successfully connected the ElastiCache from lambda function in the same VPC. I cant connect from outside VPC.
So I tried to create an API gateway, and select integration type as AWS Service Proxy and AWS Service as ElastiCache.
This is the screenshot for creating an API gateway
But I don't know, how to test this created API for executing Redis commands.
eg: SET A FOO
is it possible to communicate ElastiCache using API gateway?
API Gateway service proxy is for proxying the AWS API, not the Redis API, so that's not going to work for you. You will have to create a Lambda function and use API Gateway Lambda integration.