We have an on-prem Qlik Sense server located on the intranet that has no internet connection by default. We have a DynamoDB on AWS to which we need to access via Rest API with AWS Gateway and Lambda functions in a VPC.
The only way we can access the internet thru the Qlik Server is if we define a static IP address and a port to be whitelisted thru a Firewall rule. How can we achieve this? We have the following architecture in mind. Would it work?
I am quite new to the AWS world, so please excuse me if the question sounds very amateur. Should you need further explanation, please let me know.
Related
I want to connect aws vpc and bigquery in gcp using aws transit gateway.
I would like to know how to connect using gcp's Private Google Access.
If there is another way, please let me know.
thank you.
I created Private Google Access, but how do I connect it with bigquery?
As #jarmod mentioned in comments,
You may be better off creating some form of query API server inside the Google Cloud VPC that can talk privately to BigQuery and then have clients from the AWS VPC make requests to that API over the VPN tunnel.
As of now, this is the best practice.
Posting the answer as community wiki for the benefit of the community that might encounter this use case in the future.
Feel free to edit this answer for additional information.
Using AWS Direct Connect, we've built a network between our on-premise and our AWS VPC. We've developed a web application that users will access from within the on-prem network. We're using the HTTP API Gateway, which uses a VPC Link to connect to the private ALB. We've used a Custom Domain Name with the HTTP API Gateway and disabled the default endpoint. The domain name is registered in a private hosted zone on Route 53.
We want to keep all the traffic between the clients and the API Gateway within our private network. However, we can see that the requests going to the HTTP API Gateway leave our network because the custom domain name for the API Gateway resolves to a public IP address.
Is there a way to assign a private IP address to the HTTP API Gateway? Or any other way to keep the traffic within our network?
One option is to switch to the REST API Gateway and make its endpoint type Private. However, the HTTP API Gateway suits our needs much better with its simplicity. It also has the option for connectivity to an ALB using VPC Link, which the REST Gateway lacks.
Sadly no, the HTTP APIs do not support Private APIs. Whatever solution you will use, HTTP API endpoint must be public.
You have to use REST API, or create your own fully custom solution if REST API is out of question.
I want to provide an update to this topic.
AWS updated its product and private endpoints are available right now.
AWS - Private API endpoint
There are also a couple of examples out there also for CDK, Cloudformation or management console.
I hope this helps
I'm looking to setup an AWS API Gateway which will have private APIs (internal business client apps only)
One of the client apps that will be making requests to 1 of the apis is a client that is on-prem.
What options are available to authenticate requests coming from a client when that client is on-prem? Is there some type of tunnel I am able to create between the on-prem client on AWS VPC?
I dont want to at all make the APIs public. So I want to continue to keep all apis private. Any and all insights appreciated.
The following tools are provided to enhance the security of API Gateway.
Firstly there's support for a private API Gateway. By doing this it will only be accessible from the VPC and devices connected via VPN or Direct Connect to the API Gateway.
If it must be publicly accessible, but kept private you can lockdown he endpoint via either an API Gateway Resource Policy or by attaching a WAF to your API Gateway.
Finally if you need more advanced methods of authenticating and providing authorization to specific routes in your API, then you should look at API Gateways feature of Lambda Authorizers.
It looks like the simple answer is:
Option 1: Use Direct Connect
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
or
Option 2: Use AWS Site-to-Site VPN
https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html
What options are available to allow on prem client make requests to VPC Endpoint (interface created for private RestAPI) ?
Do I absolutely need to use Corporate DNS?
If I use corporate DNS, my concern is that all existing requests going to S3 by on prem will suddenly get routed and wont work as expected?
Assuming here that I have also direct connect and transit gateway.
Is a VPC Endpoint even necessary?
Any insight is appreciated.
I'm making the assumption at this point that a VPC Endpoint is the solution for allowing on prem client to make request since it needs some VIP or url to make the request to. How else would I create a private RestAPI without a VPC endpoint?
I am assuming you are asking about Private API Gateway.
In this case VPC Endpoint is mandatory, as it is private.
When you create VPC Endpoint, it will generate some specific DNS names for this endpoint, you can use them to reach your API Gateway.
As you have Direct Connect, your best solution is to use Route53 Resolver.
In this solution your on-premise DNS will forward all resolution names that ends with amazonaws.com to Route53 Resolver.
Please, do not confuse name resolution with network connectivity, resolving names via Direct Connect doesn't mean all services request will flow via Direct Connect.
There is a good whitepapper about this solution:
https://d1.awsstatic.com/whitepapers/hybrid-cloud-dns-options-for-vpc.pdf
One of the questions in a AWS practice exam is as below:
You are a solutions architect who has moved to a manufacturing company who has very legacy applications. One of these applications needs to communicate with services which are currently hosted on premise. The people who wrote this application have left the company and there is nothing to document how the application works. You need to ensure that this application can be hosted in a bespoke VPC but still be able to communicate to the back end services which are hosted on premise. Which of the three answers below will allow the application to communicate back to the on premise equipment without the need to reprogram the application?
And one of the correct answer was indicated to be:
You should ensure the VPC has an internet gateway attached to it so that you can establish a site to site VPN with the on premise environment.
From the VPC faq, my understanding is you do not need internet gateway for VPN to work.
From VPC FAQ
Q. How does a hardware VPN connection work with Amazon VPC?
A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a hardware VPN connection.
Anyone have experience with VPN on AWS, please clarify.
THIS QUESTION DOES NOT LACKS RESEARCH
It appears that discussions about this question can also be found at:
A Cloud Guru: Internet Gateway vs Virtual Private Gateway
A Cloud Guru: VPC - Internet Gateway for a Site to Site VPN? - Correct Answer?
A Cloud Guru: Direct Connect question
The question apparently asks for 3 correct answers out of 5. The question is badly written and does not have a correct set of answers.
The connection would need to be either via AWS Direct Connect or a VPN Connection, both of which connect to an Amazon VPC via a Virtual Private Gateway rather than an Internet Gateway.
It would be possible to establish a Software VPN connection back to on-premise, which would require software configuration, an Internet Gateway and a Public IP address (for the Software VPN). However, the provided answers make no mention of a Software VPN.