We have implemented WebSocket which is running on a ec2 machine and from public ip it is working fine.
We want to map this WebSocket path with API Gateway so that our public ip will not be visible to others and we can run through in the same manner in which we are running our other apis which is based on HTTP protocol.
But the problem is we don’t have any idea to map external WebSocket address with API Gateway.
You can map the websocket endpoint using the http(s) protocol in your api gateway and enable session stickyness in your loadbalancer.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html
Related
I want to hide client ip from the HTTP endpoint proxied using AWS API Gateway.I don't have in depth knowledge of API Gateway. Is it possible to hide source ip from target ??
I am using AWS API Gateway websocket endpoint and I see there are two endpoints created after deploy. One is https the other is wss. I can use websocket client to connect to my service via the websocket endpoint. I wonder why it creates a https endpoint.
I think this is to use #connections commands in your backend service.
With the https endpoint:
Your backend service can use the following WebSocket connection HTTP requests to send a callback message to a connected client, get connection information, or disconnect the client.
Here's my scenario: I am trying to set up the AWS API Gateway so that all calls to the API Gateway endpoints will be forwarded to an Nginx HTTPS server behind it:
HTTPS HTTPS HTTPS plain HTTP
[Client] ------> {{Internet}} -----> [AWS API Gateway] -----> [HTTPS server] ----------> [Internal web services]
Only the HTTPS server can access the internal web services inside a private network. The HTTPS server itself is publicly accessible on the Internet, as is the AWS API Gateway.
Now, the SSL certificate I installed on the HTTPS server is a private one, signed by a private CA I created.
See my AWS API Gateway config here
When the AWS API Gateway tries to forward an HTTPS request to the HTTPS server, via an HTTPS endpoint URL pointing to the server, the AWS API Gateway gets an error:
"Execution failed due to configuration error: General SSLEngine problem"
Perhaps this is because the AWS API Gateway does not recognize my private CA. If so, how do I import my private CA to the AWS API Gateway for this usage?
Edit: My intent here is that the AWS API Gateway will have to authenticate to the HTTPS server using the API Gateway's client certificates.
You cannot use self-signed certificates with API Gateway. If your API Gateway is only meant to be speaking to your server then take a look at using certbot on your local EC2 instance.
Alternatively if you want to add more security, you could perform the following actions.
Migrate the EC2 instance into a private subnet.
Either import or create a new certificate via ACM.
Create an internal network load balancer with a TLS listener, using the certificate you've got setup in ACM.
Create a VPCLink so that your API Gateway can access your internal NLB.
I want to integrate websocket api to my ecs managed websocket api running behind ALB. Only http connections are allowd, so i am getting 426 error as upgrade required. How can i send websocket request from api gateway to ALB?
My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html