I have a Django server running on an EC2 machine, which also serves the UI built by Vue.js. For authentication and user management-related stuff, I have introduced Cognito service. I am using Cognito hosted UI as well for login, sign up, etc. I am also using API Gateway to make sure the Django REST APIs cannot be accessed without authentication.
There are two Routes in my API Gateway:
/api/{x} this is for REST calls and that is getting authorized by Cognito using Bearer token.
A route with a wildcard for the rest of the UI-related URLs (those are not authorized).
Both the Routes are integrated with the Django server running on the EC2 machine.
Things are working perfectly when I invoke API Gateway URL. The Cognito integration is working like a gem. But the problem is: when I'm trying to access the Django server using the public IP of the EC2 machine. I can call the RESTs without authentication using the public IP.
This is where I am getting stuck. How to overcome this kind of scenario? How can I restrict access by public IP? Or, is there a better approach that I should follow?
I am very much new to AWS. Any suggestion from your end is welcome.
You could eliminate public access to your Django EC2 instance by restricting the web traffic in the EC2 security group attached to the EC2 instance. Then create a network load balancer in the same VPC as your instance and allow web traffic to your django instance from the subnets associated with the VPC via your security group.
Finally, create a VPC link for the API gateway which uses the newly created NLB as an endpoint. This would allow the API gateway to route requests inbound to the EC2 instance via the linked network load balancer (enforcing your Cognito authentication), while preventing internet traffic at large from reaching the the EC2 instance without being forwarded via API gateway.
Related
I have created a private subnet in a VPC with a couple of private RDS databases and microservices to retrieve handle request from a react dashboard deployed using AWS amplify.
While I can use security groups to restrict access to different private subnet resources, I am having difficulty creating a secure connection between the Amplify front end and the Private VPC backend.
I have used AWS API gateway service to route requests to the subnet microservice.
I have spoken to a solution architect who suggested a VPC endpoint could solve the problem, but it seems that this just helps with internal communication within the private VPC.
I have tried creating a HTTP API VPC link, but I am not sure how to test if it is working.
I have tried creating a REST API VPC link but I am having difficulty setting up a working network load balancer to connect it to.
I would appreciate any suggestions on how set up a secure connection
The short answer is you can't connect between your front-end, which sits on your user's browser, directly with backend resources on a private subnet. What Amplify does is use Cloudfront to distribute your react front end to user browsers. It's not responsible to help the front-end communicate with other non-Amplify related back-end services.
You could consider the following instead:
You will need to connect to the private service in your private subnet via a public endpoint on a public subnet.
The front end code (from the user browser or mobile app) will send a request to this public endpoint along with authorization token (after user authentication).
This public endpoint, which will receive the request via an Application Load Balancer or API gateway will then relay the user request to the RestFUL services sitting in your private subnet.
I also recommend you develop a RestFUL backend service to handle R/W requests to the database.
For secure communication, you can allow only HTTPS requests to keep user traffic encrypted. Hope this helps.
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
I'm trying to expose an HTTP server to the internet. The server runs on a Fargate container inside a dedicated VPC. I could just expose it through a public Application Load Balancer (ALB) if it wasn't for the fact that requests to this server must be authenticated using IAM.
My approach was to put an AWS Gateway v1 in front of the service's load balancer. This Gateway verifies authentication through IAM, then relays the request to a Network Load Balancer (NLB) using a VPC Link. The NLB in turn routes it to the server itself.
Here's the problem: Api Gateway v1 does not support VPC Links to ALBs, only NLBs, but NLBs use TCP, while I'm exposing an HTTP server. This way I can't relay paths and other HTTP features through the Network Load Balancer.
Api Gateway v2 does support VPC Links to ALBs, but it does not have a way to authenticate using IAM.
Is there any way to work around this problem?
I am not sure why you think api gtw 2 does not allow IAM authentication or where you got that from?
Can you put your cloudformation here or point to a git so I can test it with a policy?
Can you put the link where it says that API GTW 2 does not suport IAM Authorization?
The documentation clearly mentions that you can use IAM Authorisers?
https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/doc-history.html
Here is a blog that might help?
https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
You could go the long way and use Cognito Pool, link that to you API GTW, if what you say is true.
https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/
hope this helps, I'd be curious of your Cloud Formation if you are willing to share.
I have a Python server (basic REST API) running on an AWS EC2 instance. The server supplies the data for a mobile application. I want my mobile app to connect to the python server securely over HTTPS. What is the easiest way that I can do this?
Thus far, I've tried setting up an HTTP/HTTPS load balancer with an Amazon certificate, but it seems that the connection between the ELB and the EC2 instance would still not be totally secure (HTTP in a VPC).
When you are securing access to an REST API in an EC2 instance, there are several considerations you need to look upon.
Authentication & Authorization.
Monitoring of API calls.
Load balancing & life cycle management.
Throttling.
Firewall rules.
Secure access to the API.
Usage information by consumers & etc.
Several considerations are mandatory to secure a REST API such as
Having SSL for communication (Note: Here SSL termination at AWS Load Balancer Level is accepted, since there onwards, the traffic goes within the VPC and also can be hardened using Security Groups.)
If you plan on getting most of the capabilities around REST APIs stated above, I would recommend to proxy your service in EC2 to AWS API Gateway which will provide most of the capabilities out of the box.
In addition you can configure AWS WAF for additional security at Load Balancer(Supports AWS Application Load Balancer).
You can leverage some of the AWS Services to Handle these.
Question answered in the comments.
It's fine to leave traffic between ELB and EC2 unencrypted as long as they are in the same VPC and the security group for the EC2 instance(s) is properly configured.
I am new on AWS. I've been hosting an ASP.NET Web API on an AWS EC2 instance. I would like to access this web api securely through AWS API Gateway. I configured the AWS API gateway service successfully, however EC2 instance accepts and responses external api requests which are coming directly from the internet.
My web api should only accept and response aws api gateway requests.
What is the correct firewall rule(s) in security group of my EC2 instance? Or do I need to create a policy in AWS IAM user.
This configuration shouldn't be restrict aws internal traffic in order to allow access aws api gateway requests.
Thanks
You need to assign you EC2 instance under a security group. And configure the security group with inbound rules. Which will allow you to white list IP range, port, protocol etc.