I'm having an Application Load Balancer and an API Gateway. I'm trying to enforce the flow in such a way that only the requests from API-Gateway is allowed to access my loadbalancer. Is there some way I could use AWS WAF to get it done?
API gateway supports so called Private Integrations which use VpcLink resource and NLB. With them you can:
expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
The docs also provide a tutorial how to use them:
Build an API with API Gateway Private Integration
Related
Using AWS Direct Connect, we've built a network between our on-premise and our AWS VPC. We've developed a web application that users will access from within the on-prem network. We're using the HTTP API Gateway, which uses a VPC Link to connect to the private ALB. We've used a Custom Domain Name with the HTTP API Gateway and disabled the default endpoint. The domain name is registered in a private hosted zone on Route 53.
We want to keep all the traffic between the clients and the API Gateway within our private network. However, we can see that the requests going to the HTTP API Gateway leave our network because the custom domain name for the API Gateway resolves to a public IP address.
Is there a way to assign a private IP address to the HTTP API Gateway? Or any other way to keep the traffic within our network?
One option is to switch to the REST API Gateway and make its endpoint type Private. However, the HTTP API Gateway suits our needs much better with its simplicity. It also has the option for connectivity to an ALB using VPC Link, which the REST Gateway lacks.
Sadly no, the HTTP APIs do not support Private APIs. Whatever solution you will use, HTTP API endpoint must be public.
You have to use REST API, or create your own fully custom solution if REST API is out of question.
I want to provide an update to this topic.
AWS updated its product and private endpoints are available right now.
AWS - Private API endpoint
There are also a couple of examples out there also for CDK, Cloudformation or management console.
I hope this helps
I'm trying to expose an HTTP server to the internet. The server runs on a Fargate container inside a dedicated VPC. I could just expose it through a public Application Load Balancer (ALB) if it wasn't for the fact that requests to this server must be authenticated using IAM.
My approach was to put an AWS Gateway v1 in front of the service's load balancer. This Gateway verifies authentication through IAM, then relays the request to a Network Load Balancer (NLB) using a VPC Link. The NLB in turn routes it to the server itself.
Here's the problem: Api Gateway v1 does not support VPC Links to ALBs, only NLBs, but NLBs use TCP, while I'm exposing an HTTP server. This way I can't relay paths and other HTTP features through the Network Load Balancer.
Api Gateway v2 does support VPC Links to ALBs, but it does not have a way to authenticate using IAM.
Is there any way to work around this problem?
I am not sure why you think api gtw 2 does not allow IAM authentication or where you got that from?
Can you put your cloudformation here or point to a git so I can test it with a policy?
Can you put the link where it says that API GTW 2 does not suport IAM Authorization?
The documentation clearly mentions that you can use IAM Authorisers?
https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/doc-history.html
Here is a blog that might help?
https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
You could go the long way and use Cognito Pool, link that to you API GTW, if what you say is true.
https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/
hope this helps, I'd be curious of your Cloud Formation if you are willing to share.
I am trying to understand the use of API Gateway along with AWS ALB (Ingress Controller) for the EKS cluster.
Let's say,
there are 10 microservices in the AWS EKS cluster running on 10 pods. The EKS cluster is in Private VPC.
I can create Kubernetes Ingress which will create an ALB and provide rule-based routing. The ALB will be in Public VPC and I believe, AWS will allocate a public ip to the ALB. I can configure the ALB behind Route53 to access using the domain name. My understanding says that ALB supports multiple features including host or path based routing, TLS (Transport Layer Security) termination, WebSockets, HTTP/2, AWS WAF (Web Application Firewall) integration, integrated access logs, and health checks.
So, security wise there should not be any challenge. Am I wrong?
Please refer Link of the above mentioned solution architecture.
Is there any specific use case where I need to use AWS API Gateway in front of AWS ALB in the above-mentioned architecture?
What are additional benefits the AWS API Gateway has along with AWS ALB?
Should I put AWS ALB in the Private VPC if decided to use AWS API Gateway in front of that?
With API GW you will get rate limiting, throttling and if you want to authenticate and authorize requests based on OAUTH or any other auth model that can be done with API GW.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
Is there a way to set up api gateway endpoint for lambda functions to be only accessible internally ? I don't want it to be expose to the public.
API Gateway has released a new Private Endpoint feature, which makes this possible.
The API Gateway Private Endpoint will only be accessible from VPC and it requires setting up an Interface VPC Endpoints which will be used to access the endpoint. Also, it will be required to setup a Resource Policy to grant access to the API from your VPCs and VPC endpoints.
In order to access the API endpoint from your on premises network, you can either establish a AWS Direct Connect connection or AWS VPN Connection from your on premise to the Amazon VPC.
Unfortunately, no. At the moment API Gateway Invoke URLs are public. Making them private is not possible.
You can secure your API Gateway Rest API using either IAM roles or custom authorizers.
Yes, now you can configure AWS API Gateway with private link. follow the link, but you can only access the endpoint from VPC and if you want to access that end point from your data center you will need Direct Connect.