I am working on doing an end-to-end encryption of data transfer between server and client..
Without touching the application code, can I add this as a layer in the API Gateway using some additional side car like Lambda ?
I am on AWS.
You can't really do a sidecar Lambda in API Gateway. What you could do is send all your API Gateway traffic to Lambda, which could then issue requests to the backend application, obtain the results, and then encrypt the results before returning the response to API Gateway.
Related
I'm looking after solution where AWS Api Gateway changes method endpoint Url dynamically.
I am familiar with stage variables and in Integration request I can change endpoint per method like (https://${stageVariables.Url}/api/DoSomething).
What I need is that information how parse endpoint is included in requests.
https://${RequestData.Url}/api/DoSomething
I have same Api in different locations and to implement centralized Api keys and logging services I try to forward all traffic through this one Api Gateway.
After first request client gets its endpoint information, but I don't know how to solve that clients next requests to Gateway should forward to that endpoint which client get earlier.
I got an answer from AWS support. They told that I have to make a lambda function to process all requests or just use Stage variables.
I'm not able to find any documentation about intercepting all HTTP requests passing through AWS API Gateway.
I'm trying to propose a Logging service for the backend APIs deployed on AWS API Gateway. The idea is all the HTTP requests will go through the API Gateway. If I'm able to intercept the request going through API Gateway, I can hook the logging service code.
The reason for this approach is, the logging code will be independent of the actual service code and service code won't have to be updated to include logging of request / response.
Any solutions for this?
You can put CloudFront in front of your API Gateway and then use Lambda#Edge Viewer Request to intercept all requests; we do this for logging for certain functions and it works flawlessly.
This is a good tutorial on how to setup API Gateway with CloudFront
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudfront-distribution/
It seems Claudia-bot-builder's intercept method will help you to intercept the API gateway requests. You can trigger an event for requests hitting to the API gateway.
`api.intercept(function (event) { ... });`
I have a task to replace current CA layer 7 with new API gateway.
New API gateway should be able to handle
1. Rate limiting
2. Authentication
3. Version handling etc.,
After researching i found we could use AWS api gateway or Kong api gateway or AWS ALB with Cognito for authentication support.
This is so overwhelming to understand the basic differences, could you please give some insight on basic concept in simple words and some pointers or link that i should refer to start with.
API Gateway keep track of every deploy you make in the Deployment History tab. There you will find all versions of your API and you can change to any of them whenever you want.
You can also create your api gateway from a Swagger file.
For every method that you create for a resource you need to configure the Method Request, the Integration Request, the Integration Response and the Method Response.
The Integration Request is where everything happens. You will set there how you are going to handle your requests, if you are going to integrate with any aws service like firehose or if you are going for a lambda integration or with an existing HTTP endpoint.
Mapping Templates uses Apache Velocity Template Language (VTL). http://velocity.apache.org/engine/1.7/vtl-reference.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
Getting started with REST apis:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
API GATEWAY INTEGRATION TYPES:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-integration-types.html
How to import a rest api:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-import-api.html
Limits and known issues:
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
Deploying:
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api.html
Publish:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-publish-your-apis.html
AWS API Gateways supports lambda authoriser for authentication which is integrated with any identity provider - Azure AD, Cognito pool etc. It supports both Client Credentials (service to service) authentication and Authentication code(user based authentication) but AWS ALB don't support client credentials authentication flow.
AWS API Gateway also provides caching, request & response mapping, customise handling for each response type, request validation, throttling where AWS ALB is yet to be improved for all these feature.
Kong api gateway also provide similar feature as AWS API Gateway with added features
If all the backend services are deployed in AWS and you don't need
complex API gateway then go for AWS API Gateway. It is pay per use service and you don't need to pay for extra support for API gateway assuming your services are already deployed in AWS.
If you need api gateway solution with complex requirement and extra features then Kong API gateway can be considered. But you will need to either pay for Kong API gateway support or need extra effort in coding when used open source.
AWS ALB can be used only for specific scenarios and it is getting matured day by day.
I have created self client certificate within API Gateway. I would like my lambda to validate before processing the request from API Gateway (Configure Backend to Authenticate API).
API Gateway allows us to copy the certificate to clipboard. Which we can save as var or file to be read within Nodejs Lambda function, authenticate and proceed further.
Do we have examples?
API Gateway is invoking your AWS Lambda function via the the Lambda Invoke method in the AWS API. Your Lambda function isn't a web server, so it isn't receiving a direct HTTPS request from API Gateway, so it isn't going to receive the HTTPS client certificate.
I would question the need for this anyway. Your API Gateway should be using an IAM role to invoke the Lambda function. That's the mechanism you would use to make sure only API Gateway has access to invoke your Lambda function. The client-certificate is for web servers running behind API Gateway that don't use IAM for authentication.
I created an API with AWS API Gateway. This API provides a method that calls an AWS Lambda function. When I call this API method manually using a REST client, it works properly, and the Lambda function is called.
I also have a device that periodically pushes some data to a server via HTTP(S). When configured to push data to a HTTPS server running on an EC2 instance, it works properly. But when I configure the device to push data to API Gateway, the Lambda function is never called.
I tried sniffing the traffic via WireShark, and I can see that requests are indeed sent by the device and that the API responds, but I can't view the contents of the requests and responses since they are encrypted. My guess is that API Gateway returns somme kind of error that prevents the Lambda to be called. Unfortunately, the device does not provide any logs. Is there any way on AWS side to see what is going on?
Enable CloudWatch Logs for API Gateway: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/