I have created a private subnet in a VPC with a couple of private RDS databases and microservices to retrieve handle request from a react dashboard deployed using AWS amplify.
While I can use security groups to restrict access to different private subnet resources, I am having difficulty creating a secure connection between the Amplify front end and the Private VPC backend.
I have used AWS API gateway service to route requests to the subnet microservice.
I have spoken to a solution architect who suggested a VPC endpoint could solve the problem, but it seems that this just helps with internal communication within the private VPC.
I have tried creating a HTTP API VPC link, but I am not sure how to test if it is working.
I have tried creating a REST API VPC link but I am having difficulty setting up a working network load balancer to connect it to.
I would appreciate any suggestions on how set up a secure connection
The short answer is you can't connect between your front-end, which sits on your user's browser, directly with backend resources on a private subnet. What Amplify does is use Cloudfront to distribute your react front end to user browsers. It's not responsible to help the front-end communicate with other non-Amplify related back-end services.
You could consider the following instead:
You will need to connect to the private service in your private subnet via a public endpoint on a public subnet.
The front end code (from the user browser or mobile app) will send a request to this public endpoint along with authorization token (after user authentication).
This public endpoint, which will receive the request via an Application Load Balancer or API gateway will then relay the user request to the RestFUL services sitting in your private subnet.
I also recommend you develop a RestFUL backend service to handle R/W requests to the database.
For secure communication, you can allow only HTTPS requests to keep user traffic encrypted. Hope this helps.
Related
Using AWS Direct Connect, we've built a network between our on-premise and our AWS VPC. We've developed a web application that users will access from within the on-prem network. We're using the HTTP API Gateway, which uses a VPC Link to connect to the private ALB. We've used a Custom Domain Name with the HTTP API Gateway and disabled the default endpoint. The domain name is registered in a private hosted zone on Route 53.
We want to keep all the traffic between the clients and the API Gateway within our private network. However, we can see that the requests going to the HTTP API Gateway leave our network because the custom domain name for the API Gateway resolves to a public IP address.
Is there a way to assign a private IP address to the HTTP API Gateway? Or any other way to keep the traffic within our network?
One option is to switch to the REST API Gateway and make its endpoint type Private. However, the HTTP API Gateway suits our needs much better with its simplicity. It also has the option for connectivity to an ALB using VPC Link, which the REST Gateway lacks.
Sadly no, the HTTP APIs do not support Private APIs. Whatever solution you will use, HTTP API endpoint must be public.
You have to use REST API, or create your own fully custom solution if REST API is out of question.
I want to provide an update to this topic.
AWS updated its product and private endpoints are available right now.
AWS - Private API endpoint
There are also a couple of examples out there also for CDK, Cloudformation or management console.
I hope this helps
I have a Django server running on an EC2 machine, which also serves the UI built by Vue.js. For authentication and user management-related stuff, I have introduced Cognito service. I am using Cognito hosted UI as well for login, sign up, etc. I am also using API Gateway to make sure the Django REST APIs cannot be accessed without authentication.
There are two Routes in my API Gateway:
/api/{x} this is for REST calls and that is getting authorized by Cognito using Bearer token.
A route with a wildcard for the rest of the UI-related URLs (those are not authorized).
Both the Routes are integrated with the Django server running on the EC2 machine.
Things are working perfectly when I invoke API Gateway URL. The Cognito integration is working like a gem. But the problem is: when I'm trying to access the Django server using the public IP of the EC2 machine. I can call the RESTs without authentication using the public IP.
This is where I am getting stuck. How to overcome this kind of scenario? How can I restrict access by public IP? Or, is there a better approach that I should follow?
I am very much new to AWS. Any suggestion from your end is welcome.
You could eliminate public access to your Django EC2 instance by restricting the web traffic in the EC2 security group attached to the EC2 instance. Then create a network load balancer in the same VPC as your instance and allow web traffic to your django instance from the subnets associated with the VPC via your security group.
Finally, create a VPC link for the API gateway which uses the newly created NLB as an endpoint. This would allow the API gateway to route requests inbound to the EC2 instance via the linked network load balancer (enforcing your Cognito authentication), while preventing internet traffic at large from reaching the the EC2 instance without being forwarded via API gateway.
I have a slack bot which is running on a EC2 in a VPC.
The VPC/ API gateway is supposed to only be exposed to slack (for slack event listening), Its not supposed to be publicly accessible.
How would I filter based on slack's DNS? https://api.slack.com/robots
I saw that API gateway has resource policies however they are only IP\ AWS account\ VPC based.
Any other AWS services that can help?
If the only reason you're exposing it to the web is for Slack to access it, then you could try using Socket Mode, which pushes all the Slack traffic to websockets, meaning you don't need a public endpoint anymore.
What is the difference between Private Link and VPC endpoint? As per the documentation it seems like VPC endpoint is a gateway to access AWS services without exposing the data to internet. But the definition about AWS private link also looks similar.
Reference Link:
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html
Does Private Link is the superset of VPC endpoint?
It would be really helpful if anyone provides the difference between these two with examples!
Thanks in Advance!
AWS defines them as:
VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.
AWS PrivateLink — A technology that provides private connectivity between VPCs and services.
So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs. These services can be your own, or provided by AWS.
Let's say that you've developed some application and you are hosting it in your VPC. You would like to enable access to this application to services in other VPCs and other AWS users/accounts. But you don't want to setup any VPC peering nor use Internet for that. This is where PrivateLink can be used. Using PrivateLink you can create your own VPC endpoint services which will enable other services to use your application.
In the above scenario, VPC interface endpoint is a resource that users of your application would have to create in their VPCs to connect to your application. This is same as when you create VPC interface endpoint to access AWS provided services privately (no Internet), such as Lambda, KMS or SMS.
There are also Gateway VPC endpoints which is older technology, replaced by PrivateLink. Gateways can only be used to access S3 and DynamoDB, nothing else.
To sum up, PrivateLink is general technology which can be used by you or AWS to allow private access to internal services. VPC interface endpoint is a resource that the users of such VPC services create in their own VPCs to interact with them.
Suppose there is a website xyz.com that I am hosting in a bunch of Ec2 instances, exposed to the outside world thru a Network load balancer.
Now, a client who has his/her own AWS account, wants to access this xyz.com from an Ec2 running in their aws account.
One approach is to go thru the Internet.
However the client wants to avoid the internet route.
He/she wants to use the AWS backbone to reach xyz.com.
The technology that enables that, is AWS Private link.
(note that if you search for Private Link in the AWS services, there will be none.
You will get "End point services" as the closest hit)
So, this is how to route traffic through the AWS backbone:
I, the owner of xyz.com, will create a VPC End Point Service (NOTE the keyword Service here)
The VPC End point service will point to my Network load balancer.
I will then give my VPC End point service name to the client.
The client will create a VPC End Point (NOTE.. this is different from #1).
While creating it, the client will specify the VPC End Point Service name (from #1) that he got from me.
I can choose to be prompted to accept the connection from the client to my VPC End point service.
As soon as I accept it, then the client can reach xyz.com from his/her EC2 instance.
There is no Internet, no direct connect or VPN.. this simply works; and its secure.
And which technology enabled it.. AWS Private link !!!
PRIVATE LINK IS THE ONLY TECHNOLOGY THAT ALLOWS 2 VPCS TO CONNECT THAT HAVE OVERLAPPING CIDR RANGES.
A useful way in understanding differences is in how they technically connect private resources to public services.
Gateway Endpoints route traffic by adding prefix lists within a VPC route table which targets the Gateway endpoint. It is a logical gateway object similar to a Internet Gateway.
In contrast, an Interface Endpoint uses Privatelink to inject into a VPC at the subnet level, via an Elastic Network Interface (ENI), giving network interface functionality, and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.
The differences in connections offer differing advantages and disadvantages (availability, resiliency, access, scalability, and etc), which then dictates how best to connect private resources to public services.
Privatelink is simply a very much abstracted technology to allow a more simplified connection by using DNS. The following AWS re:Invent offers a great overview of Privatelink: https://www.youtube.com/watch?v=abOFqytVqBU
As you correctly mentioned in the question that both VPC endpoint and AWS private link do not expose to internet. On AWS console under VPC, there is a clear option available to create an endpoint. But there is no option/label to create AWS private link. Actually, there is one more option/label called endpoint service. Creating endpoint service is one way to establish AWS private link. At one side of this AWS private link is your endpoint service and at the other side is your endpoint itself. And interestingly we create both these sides in two different VPCs. In other words, you are connecting two VPCs with this private link (instead of using internet or VPC peering).
understand like,
VPC1 got endpoint service ----> private link -----> VPC2 got endpoint
Here endpoint service side is service provider while endpoint is service consumer. So when you have some service (may be some application or s/w) that you think other VPC endpoints can consume you create endpoint service at your end and consumers will create endpoints at there end. When consumers create endpoints at their end they have to give/select your service name and thus private link will be established with your service.
Ultimately you can have multiple consumers of your service just like one to many relationship.
I have an created a public aws api gateway which i have have tested and works with an app deployed on my local and with curl
But when i deploy the app on the ec2 on a vpc it cannot query that public api i get 403 forbidden
Is there any reason as to why i cannot query this api ?
From more debugging i did i created another private api which i can access from the ec2 behind the vpc and everything works fine
I also tried running some curl requests to another public api and that works
It seems my issue is with when access public regional aws api gateway from a vpc
You may be running into the issue described here
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/
Based on the comments, the issue was that the access to regional API was blocked by the VPC interface gateway. As explained here the presence of the gateway is going to block the access to regional and edge APIs.
The solution for now is to use private API gateway endpoint:
An API endpoint that is exposed through interface VPC endpoints and
allows a client to securely access private API resources inside a VPC.
Private APIs are isolated from the public internet, and they can only
be accessed using VPC endpoints for API Gateway that have been granted
access.