With AWS API Gateway, is there a way to send a request through a corporate proxy? Let's say that I have a service that will only accept traffic sourced from http://proxy.my-proxy.domain.com:8000.
If the above is not possible, is there a way to send requests with an IP from my VPC CIDR?
NOTE - This is a private API Gateway with all VPC-E configured
correctly.
NOTE - As I am merely a simpleton, I do not have
privileges to modify this proxy.
NOTE - I'd rather not use lambda (if
possible)
Private endpoints are only private within the AWS ecosystem, they cannot be utilized outside them unless you establish connectivity between AWS VPC and your corporate network.
There are three ways to achieve this as far as i know
You can make your API Gateway be public and use WAF to control access to it. You can whitelist only your corporate proxy IP addresses that are only allowed to access this gateway.
Establish a VPN connection between your AWS VPC and the corporate network. This will allow you to use private endpoints without making them public using a secure encrypted pipe
Setup AWS Direct Connect between your AWS VPC and the corporate network. This may not be an option considering the cost to the value proposition
I just ended up using Lambda attached to my VPC w/ API Gateway proxy integration.
Related
Using AWS Direct Connect, we've built a network between our on-premise and our AWS VPC. We've developed a web application that users will access from within the on-prem network. We're using the HTTP API Gateway, which uses a VPC Link to connect to the private ALB. We've used a Custom Domain Name with the HTTP API Gateway and disabled the default endpoint. The domain name is registered in a private hosted zone on Route 53.
We want to keep all the traffic between the clients and the API Gateway within our private network. However, we can see that the requests going to the HTTP API Gateway leave our network because the custom domain name for the API Gateway resolves to a public IP address.
Is there a way to assign a private IP address to the HTTP API Gateway? Or any other way to keep the traffic within our network?
One option is to switch to the REST API Gateway and make its endpoint type Private. However, the HTTP API Gateway suits our needs much better with its simplicity. It also has the option for connectivity to an ALB using VPC Link, which the REST Gateway lacks.
Sadly no, the HTTP APIs do not support Private APIs. Whatever solution you will use, HTTP API endpoint must be public.
You have to use REST API, or create your own fully custom solution if REST API is out of question.
I want to provide an update to this topic.
AWS updated its product and private endpoints are available right now.
AWS - Private API endpoint
There are also a couple of examples out there also for CDK, Cloudformation or management console.
I hope this helps
A VPC endpoint enables connections between a virtual private cloud (VPC) and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, your VPC is not exposed to the public internet.
AWS PrivateLink is a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service. Therefore, your VPC is not exposed to the public internet.
What's so insecure of using public internet if all my incoming(to AWS)/outgoing(from AWS) connections use https? Could this still be decrypted?
I'm not very knowledgeable in networking/security that's why I'm asking.
I think you are confusing two architectures.
Public applications - available over the internet. They require direct or peroxided internet access. One way to secure them is through HTTPS as you do. For them to work your VPC needs internet gateway and/or NAT as well.
Private applications - those applications are meant to be only accessible from within a AWS. Thus internet access to these applications is not required, and is bad practice. This is where AWS PrivateLink can be used. It allows you to expose your application to other AWS users, without them needing internet access or even access to your VPC. They can access your private applications from their own accounts and VPCs.
What is the difference between Private Link and VPC endpoint? As per the documentation it seems like VPC endpoint is a gateway to access AWS services without exposing the data to internet. But the definition about AWS private link also looks similar.
Reference Link:
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html
Does Private Link is the superset of VPC endpoint?
It would be really helpful if anyone provides the difference between these two with examples!
Thanks in Advance!
AWS defines them as:
VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.
AWS PrivateLink — A technology that provides private connectivity between VPCs and services.
So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs. These services can be your own, or provided by AWS.
Let's say that you've developed some application and you are hosting it in your VPC. You would like to enable access to this application to services in other VPCs and other AWS users/accounts. But you don't want to setup any VPC peering nor use Internet for that. This is where PrivateLink can be used. Using PrivateLink you can create your own VPC endpoint services which will enable other services to use your application.
In the above scenario, VPC interface endpoint is a resource that users of your application would have to create in their VPCs to connect to your application. This is same as when you create VPC interface endpoint to access AWS provided services privately (no Internet), such as Lambda, KMS or SMS.
There are also Gateway VPC endpoints which is older technology, replaced by PrivateLink. Gateways can only be used to access S3 and DynamoDB, nothing else.
To sum up, PrivateLink is general technology which can be used by you or AWS to allow private access to internal services. VPC interface endpoint is a resource that the users of such VPC services create in their own VPCs to interact with them.
Suppose there is a website xyz.com that I am hosting in a bunch of Ec2 instances, exposed to the outside world thru a Network load balancer.
Now, a client who has his/her own AWS account, wants to access this xyz.com from an Ec2 running in their aws account.
One approach is to go thru the Internet.
However the client wants to avoid the internet route.
He/she wants to use the AWS backbone to reach xyz.com.
The technology that enables that, is AWS Private link.
(note that if you search for Private Link in the AWS services, there will be none.
You will get "End point services" as the closest hit)
So, this is how to route traffic through the AWS backbone:
I, the owner of xyz.com, will create a VPC End Point Service (NOTE the keyword Service here)
The VPC End point service will point to my Network load balancer.
I will then give my VPC End point service name to the client.
The client will create a VPC End Point (NOTE.. this is different from #1).
While creating it, the client will specify the VPC End Point Service name (from #1) that he got from me.
I can choose to be prompted to accept the connection from the client to my VPC End point service.
As soon as I accept it, then the client can reach xyz.com from his/her EC2 instance.
There is no Internet, no direct connect or VPN.. this simply works; and its secure.
And which technology enabled it.. AWS Private link !!!
PRIVATE LINK IS THE ONLY TECHNOLOGY THAT ALLOWS 2 VPCS TO CONNECT THAT HAVE OVERLAPPING CIDR RANGES.
A useful way in understanding differences is in how they technically connect private resources to public services.
Gateway Endpoints route traffic by adding prefix lists within a VPC route table which targets the Gateway endpoint. It is a logical gateway object similar to a Internet Gateway.
In contrast, an Interface Endpoint uses Privatelink to inject into a VPC at the subnet level, via an Elastic Network Interface (ENI), giving network interface functionality, and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.
The differences in connections offer differing advantages and disadvantages (availability, resiliency, access, scalability, and etc), which then dictates how best to connect private resources to public services.
Privatelink is simply a very much abstracted technology to allow a more simplified connection by using DNS. The following AWS re:Invent offers a great overview of Privatelink: https://www.youtube.com/watch?v=abOFqytVqBU
As you correctly mentioned in the question that both VPC endpoint and AWS private link do not expose to internet. On AWS console under VPC, there is a clear option available to create an endpoint. But there is no option/label to create AWS private link. Actually, there is one more option/label called endpoint service. Creating endpoint service is one way to establish AWS private link. At one side of this AWS private link is your endpoint service and at the other side is your endpoint itself. And interestingly we create both these sides in two different VPCs. In other words, you are connecting two VPCs with this private link (instead of using internet or VPC peering).
understand like,
VPC1 got endpoint service ----> private link -----> VPC2 got endpoint
Here endpoint service side is service provider while endpoint is service consumer. So when you have some service (may be some application or s/w) that you think other VPC endpoints can consume you create endpoint service at your end and consumers will create endpoints at there end. When consumers create endpoints at their end they have to give/select your service name and thus private link will be established with your service.
Ultimately you can have multiple consumers of your service just like one to many relationship.
I have 1 Lambda Function connected to AWS Oracle RDS. I have exposed lambda to outer world via API Gateway.
How can i access same API Gateway in my EC2 Instance where i have my back-end services running?
[ec2-user#ip-22-22-22-22 dummy]$ ./telnet 10apexecute2.execute-api.eu-west-1.amazonaws.com 443
Trying 55.11.144.98...
Please help
As the account must be restrictive with its outbound communication over internet, the suggested solution would to make use of a VPC endpoint for API Gateway.
Once you create this endpoint, make sure to enable the "Enable Private DNS Name" option to override the DNS resolution for execute-api endpoints to speak to resolve through your VPC endpoint.
More information can be found in this blog post: Introducing Amazon API Gateway Private Endpoints | AWS Compute Blog
What options are available to allow on prem client make requests to VPC Endpoint (interface created for private RestAPI) ?
Do I absolutely need to use Corporate DNS?
If I use corporate DNS, my concern is that all existing requests going to S3 by on prem will suddenly get routed and wont work as expected?
Assuming here that I have also direct connect and transit gateway.
Is a VPC Endpoint even necessary?
Any insight is appreciated.
I'm making the assumption at this point that a VPC Endpoint is the solution for allowing on prem client to make request since it needs some VIP or url to make the request to. How else would I create a private RestAPI without a VPC endpoint?
I am assuming you are asking about Private API Gateway.
In this case VPC Endpoint is mandatory, as it is private.
When you create VPC Endpoint, it will generate some specific DNS names for this endpoint, you can use them to reach your API Gateway.
As you have Direct Connect, your best solution is to use Route53 Resolver.
In this solution your on-premise DNS will forward all resolution names that ends with amazonaws.com to Route53 Resolver.
Please, do not confuse name resolution with network connectivity, resolving names via Direct Connect doesn't mean all services request will flow via Direct Connect.
There is a good whitepapper about this solution:
https://d1.awsstatic.com/whitepapers/hybrid-cloud-dns-options-for-vpc.pdf