We need to provide static IPs to our API GW using HTTP API GW - and not REST API GW. 🎯
It's a tricky process, but here is a good resource about it from AWS official docs.
The problem is there are only a few articles about it, and it seems that is not possible by using HTTP API GW, and only by using REST API GW. 😞
Suggestions?
From the AWS Support team reply:
As you have correctly indicated, this can be configured for an API Gateway REST API by making use of AWS Global Accelerator [1]. However, this would unfortunately not be possible for an API Gateway HTTP API. The closest recommendation that I can make to achieve your use-case would be to possibly use an EC2 instance or a proxy service where you can configure a static IP and then forward the requests to your HTTP API.
As #Marcin has commented.
Related
There are two versions of the AWS API Gateway:
REST version
HTTP version (v2)
I am using the newer HTTP version with a lambda authorizer and would like to protect my staging/test environments from outside requests. One idea is to put a WAF in front of the API gateway, but unfortunately only the REST version of the gateway supports a WAF.
Any suggestions for how to protect these resources so they can only be accessed from a specific IP range? (Company VPN)
When using API Gateway, the HTTP API type misses some of the Security options that we have available when comparing it with a REST API, as we can see in the following table:
Security
HTTP API
REST API
Mutual TLS authentication
✓
✓
Certificates for backend authentication
✓
AWS WAF
✓
Resource policies
✓
A full comparison can be found here.
To protect your HTTP API from certain threats, like malicious users or spikes in traffic the API Gateway provides by default the options of setting throttling targets or/and enabling mutual TLS.
To understand more about these default options, take a look on this page Protecting your HTTP API.
If you want to use WAF, you can create a private integration with ALBs, that supports WAF, which means you can get the benefits of WAF while still enjoying the lower cost and higher performance of HTTP APIs.
Your architecture can be similar with the following one:
To understand more about these integrations, take a look on this page: Best Practices for Designing Amazon API Gateway Private APIs and Private Integration.
You can create private Api Gateways using the tags aws:SourceVpc and aws:SourceVpce in the Api resource policy.
link to aws official documentation
I want to deploy my API to AWS, there is an Endpoint URL, but I have no idea what's this
Any help please, thank you.
The HTTP integration will forward any requests to API gateway to your HTTP endpoint which you already must have. For example, you can create some API server of your own on an EC2 instance, and API gateway through HTTP integration will proxy all requests to your instance. In this case, the HTTP endpoint will be your EC2 url.
But if you don't know what is your HTTP endpoint, then probably you don't need to use HTTP integration. Maybe lambda integration would be better.
I am building application deployed to Appsync in AWS. And appsync doesn't support custom domain so that I have to choose a workaround.
I have read some doc and all of them mention to use cloudfront. I wonder whether I can use API gateways instead of cloudfront. For me, I don't want to use any CDN for my backend (even I know I can disable cache).
And I'd like to support subscription over websocket. Does it work with api gateway?
We can setup proxy from Api Gateway both HTTP and REST. Considering this is just proxy and no customizations, we can go with cheaper option of HTTP API.
Here is the documentation.
Step by Step:
Create a HTTP Api
Add a route for /{proxy+} with ANY method.
Add an integration to ANY method pointing to appsync api suffixing with {proxy} https://kkkkabcd1efgxyzeabcdefg4.appsync-api.us-east-1.amazonaws.com/{proxy}
Route53 to point to Api Gateway.
I want to secure a REST API with mutual authentication on AWS. This means, only clients with a specific client certificate should be able to access the API. What is the best way to secure a REST API on AWS with mutual authentication?
I know, there is client certificate support for API Gateway, but this is not what I am looking for. As far as I understand, this only authenticates Api Gateway against backend and is not able to authenticate clients to Api gateway.
Is Api Gateway, Load balancer or any other AWS product able to do mutual authentication to secure a rest API or do I need to implement this by my own?
You'll have to do this on your servers.
None of the services that terminate TLS and forward requests or connections to your app tier -- Elastic Load Balancers (Classic, Application, and Network), CloudFront, or API Gateway -- support TLS mutual auth.
Of course, a Network Load Balancer without TLS termination or a Classic Load Balancer in TCP mode will pass-through your payload, whatever it is, so either of these can be used in front of your servers, but the servers will need to handle all the TLS.
Also, your conclusion is correct that API Gateway's client certificates are not what you are looking for. They work as you described them.
As of 17th September, 2020, support for Mutual Authentication using TLS is available on AWS API Gateway: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/ . It can be used to authenticate clients calling an API on API Gateway.
My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html