Hi We have an aws API gateway configured with lambda and now want to integrate with a vendor wherein vendor want us to provide him with a Static IP against the API Gateway that we have. As per my knowledge API gateway serves request through Dynamic Elastic IP which are listed here
Is there a way to achieve this other than putting a forward proxy or NLB.
You cannot get a static IP if you are using a public API Gateway endpoint (Regional or Edge-optimized). The IPs allocated for APIs in any AWS region can be changed at any time and are a very wide range.
However, if you were to use a private API Gateway endpoint, you could use the below set up -
Client --> NLB(public static IP) --> VPC endpoint for API Gateway --> Private API
The execute-api VPC endpoint have a fixed IP address allocated from the VPC CIDR range. Having a NLB as a front-end(with a public static IP), you can add these IP addresses as targets in your NLB config.
You can also use a static IP proxy service such as QuotaGuard. I use that to deal with services that want to whitelist my IP when using dynamic DNS.
Related
I have deployed an API Gateway on GCP. I would like to attach a static IP to the gateway so that I can add the IP to an allowlist of another service, that the API Gateway forwards requests to. The service is a third-party service, that only accepts requests from IPs on their allowlist.
I have set up a load balancer for the API Gateway, which does have a global static IP attached. However, this does solve the egress traffic, I see in the logs that the IP isn't static. Is there a way that I can attach a static IP to the API Gateway for egress, so that I can add a single IP to the other service?
Any help on this would be appreciated!
You can't add egress control on API Gateway. A workaround is to create a proxy Cloud Functions that have a static egress IP. There is an overcost for the Cloud Functions processing and for the serverless VPC connector that you have to use.
Another solution is to host the equivalent of API Gateway yourselves on Cloud Run for example (the open source project is name ESPv2, and I wrote an article on that (before the existence of the managed solution: API Gateway) and to use the similar configuration (serverless VPC connector and Cloud NAT) on the Cloud Run service.
I am building a webserver with AWS Lambda and I need a public IP address that I can call to request the Lambda function. My users need to put this IP address as an A record into their DNS.
Is it somehow possible, for example, to associate an Elastic IP to a single Lambda function for incoming traffic? Maybe through a load balancer?
For the outgoing traffic I have my NAT and Internet Gateways, which are working fine.
You have 2 choices that can provide this functionality:
API Gateway - This is made for traditional API calls, you will need to create a custom domain mapping to your API within AWS for each domain that will use the API Gateway.
Application Load Balancer - You can use an ALB to have your Lambda as a target for all requests. However, without path based pattern matching be aware that all requests will arrive at the same Lambda.
Both of the above will require that the subdomain is mapped by a CNAME rather than an A Record. This is because both of these domains recycle IP addresses on an infrequent basis.
If you absolutely must have the record resolve to an IP you would need to use an NLB in front of you ALB. The NLB supports a static IP per subnet, the ALB would then become its target through IP mapping and an existing AWS service. If you can use CNAMEs then you do not need to do this.
AWS Document says,
Custom domain names are not supported for private APIs.
Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
What does this exactly mean? I am able to attach a custom domain name to the Private API.
However I am facing issues with SSL Certificates.
API Gateway has 4 options:
HTTP API
WebSockets API
REST API
REST API Private
REST API Private is the same as REST APIs except it is only accessible from within a VPC. To access the REST API from within the VPC an interface VPC endpoint is required. If you do not use an interface VPC endpoint then you can access the REST API on API Gateway via NAT which goes via the internet gateway or just an internet gateway. In either case this would be a public REST API over the internet.
When using the VPC interface endpoint, AWS generates a custom domain name. This domain name is used within the VPC to locate the endpoint and redirect to the REST API. For this reason you cannot specify your own custom domain name at this time. You can specify a custom domain name for a public facing REST API.
Because you cannot specify your own custom domain name, you cannot use your own custom certificates.
Because the VPC interface endpoint is called API Gateway internally TLS 1.2 is used. This cannot be changed either.
If you want to use your own certificates, then you would need to define your own domain name, and use a public facing REST API defined in API Gateway.
Alternatively you could use a custom domain name internal to your VPC, generate a certificate for this domain name. Put the certificate on a proxy server like NGINX, use the proxy to front the interface endpoint. The interface endpoint uses an Elastic Network Interface (ENI) and therefor has a Security Group, and you can restrict traffic to originate from the proxy using the Security Group. In this case the certificate will reside on the proxy, and TLS will terminate on the proxy server. The proxy server will then access the REST API over a new connection.
One option of using custom domain for private endpoint is to put an (internal facing) application load balancer in front of the API gateway.
When you add a listener to your ALB, you have the option to specify a certificate. Then you point to your ALB with your domain as an alias in Route53.
To summarise:
Create target group that points to the ENI IP addresses of
com.amazonaws.eu-west-1.execute-api
Create internal facing Application Load Balancer
Add the target group as a listener, specify Default SSL/TLS cert
with your domain.
Point your domain to the ALB alias in Route53
Optionally, you could put a Network Load Balancer in front of your
ALB if you need to give the ALB some on-prem address. In that case,
you point your domain to the on-prem (private) address instead of
the ALB alias. Create a new target group that points to your ALB and add it as a listener in NLB.
I have an aws api gateway which has a custom domain.
I have to access one of client's api from AWS api gateway.
Those api's will be accessible based on IP address.
If I want to access those api's from aws, I need to know the Ip address of my AWS apigateway.
But I am not sure where I can get this.
Any possibilities to get the static IP address of AWS apigateway?
Unfortunately the API Gateway doesn't support this scenario of invoking an IP-whitelisted API directly. Basically any AWS instance can be used to make the API call and there's many IPs that AWS is using for this.
There are some ways around this, depending on your situation;
If the server you are reaching is within your own VPC, you could create a VPC link (with NLB) and circumvent the IP-whitelist issue. This solution only works for resources within your control.
If the server is external and is expecting a static IP, your best solution is to make your call from within a VPC. To make sure you have a static public IP you can use an elastic IP and a NAT Gateway in your VPC (more info here).
To invoke the external API triggered from the API Gateway you can use a Lambda but because of the VPC a cold start will be quite slow, >10s. To make sure the API will be responding fast you can use an EC2 instance or ECS service on Fargate.
After you clarified your requirements in the comments above it appears that you need your AWS Lambda function, which is being triggered by API Gateway, to appear to a third party as if it has a static outgoing IP address.
The solution to this is to configure your Lambda function to run in your VPC, in a private subnet of your VPC that has a route to a NAT Gateway. Then all outgoing connections from the Lambda function which access resources outside your VPC will use the NAT Gateway's static IP address.
I have Public and Pvt Subnets in my VPC. I have some services running on EC2 in Pvt subnet, that needs to be accessed by external/mobile resources. How do I do this- is VPCLink and NLB the way to do it, or any other way, create some access point in Public subnet (??). Lambda seems to be the answer (for almost everything in AWS now) - not sure even how that access works for resources in Pvt Subnet.
Also the same Pvt Subnet has access external resources (outside of AWS) - how do I do this using the API Gateway?
Not quite understanding how the API-Gateway (and Lambda) is situated vis-a-vis - VPC and subnets- and how the network access control functions- can they access Pvt subnets directly or not. The documentation is somewhat silent on this, only talks about IAM - if someone can explain this. Found this on Lambda: AWS Lambda: How to setup a NAT gateway for a lambda function with VPC access.
The documentation says "API Gateway allows you to securely connect ... publicly addressable web services hosted inside or outside of AWS". My resources in Pvt subnet are not publicly addressable - I suppose.
Thanks
Are the services you have running on EC2 offering an API? API Gateway is meant to proxy API requests. It's commonly used in conjunction with Lambda to allow Lambda functions to process HTTP requests. An API Gateway is not necessary for your service. You can simply use an Application Load Balancer (ALB) or an Elastic Load Balancer (ELB). They can reside on a public subnet while your service remains in the private subnet. You can use security groups and VPC routing tables to allow communication from your public ALB/ELB to your private EC2 service.
With Ben’s help here is the answer
Introducing Amazon API Gateway Private Endpoints
Inbound: Accessing services hosted in Private Subnet via API Gateway
Endpoint integrations inside a private VPC. With this capability, you can now have your backend running on EC2 be private inside your VPC without the need for a publicly accessible IP address or load balancer.
So essentially API Gateway can access published endpoints, even in Private Subnets.
OutBound: Accessing externally hosted services from Private Subnet via API Gateway
API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.
So you simply need to create a VPC endpoint in the Pvt Subnet for the API Gateway.