I am using AWS API Gateway to connect to Kubernetes Ingress via VPC Link. I want to set up TLS connection between API Gateway and Ingress. How can I do this in AWS? All the external connections to API Gateway uses a proper public certificate and SSL termination is happening at API Gateway level. I am trying to avoid sending unencrypted traffic from API Gateway to Ingress. Is it possible to set up a self-signed or ACM based certificate from API Gateway?
Consider using Ambassador for that purpose. You can read about it in this tutorial.
Additional links:
Enabling HTTPS in Ambassador
Ambassador on AWS
Related
I am trying to understand the use of API Gateway along with AWS ALB (Ingress Controller) for the EKS cluster.
Let's say,
there are 10 microservices in the AWS EKS cluster running on 10 pods. The EKS cluster is in Private VPC.
I can create Kubernetes Ingress which will create an ALB and provide rule-based routing. The ALB will be in Public VPC and I believe, AWS will allocate a public ip to the ALB. I can configure the ALB behind Route53 to access using the domain name. My understanding says that ALB supports multiple features including host or path based routing, TLS (Transport Layer Security) termination, WebSockets, HTTP/2, AWS WAF (Web Application Firewall) integration, integrated access logs, and health checks.
So, security wise there should not be any challenge. Am I wrong?
Please refer Link of the above mentioned solution architecture.
Is there any specific use case where I need to use AWS API Gateway in front of AWS ALB in the above-mentioned architecture?
What are additional benefits the AWS API Gateway has along with AWS ALB?
Should I put AWS ALB in the Private VPC if decided to use AWS API Gateway in front of that?
With API GW you will get rate limiting, throttling and if you want to authenticate and authorize requests based on OAUTH or any other auth model that can be done with API GW.
We have a microservice architecture and trying to deploy on AWS while leveraging its API Gateway.
Our API Gateway is using a public TSL certificate for client requests, but we wonder how we should be encrypting the communication from the API Gateway to the Load Balancer and then to the services. The API Gateway can also issue "Client Certificates" but it's not clear how we should utilize that.
We are hoping not to have a private CA on AWS as it is quite costly and we don't have any burning use for it.
I think the traffic between API Gateway and internal AWS services is always going through HTTPS. This is based on the comments from BobK#AWS:
HTTPS is used for traffic between CloudFront and API Gateway.
Communication from API Gateway to other services, such as Lambda, is
also over HTTPS.
The only time API Gateway would not use SSL is if you configured an
HTTP integration and chose not to enable HTTPS on that integration.
I am new to istio and wanting to configure egress gateway to access external service with mTLS enabled.
First, how can I set secret for cert? I was trying to use bsdssl.com cert but no luck. Anyone have suggestion on how to test mTLS thru egress gateway.
I am also not well verse with certificates.
Thank you
Your question is not very clear, but if you are asking how to configure an egress gateway to access an mTLS secured external service, you can find an example here.
I want AWS gateway API to be entry point of application cluster. I have 20+ machines running in my VPC which are required for various purposes (RMQ, Worker, etc). I was expecting gateway api to offload the SSL, authenticate request with AWS signature and then forward it to my ELB. And then, some way to secure my internet facing ELB to accept requests just from API gateway. Turns out it's not possible. I have to run SSL on my deployed NGINX server and use AWS client certificate authentication to validate the origin of request. This still keeps my end points exposed to DDos and there is overhead of SSL as well.
Now, with newly launched network load balancer and VPC link at gateway api level is is possible to achieve above?
I use AWS API Gateway that proxies HTTP queries to my services. How could my services check that HTTP requests are originating from AWS API Gateway?
You can use client-side certificates to authenticate requests between API-Gateway and your server.
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
You can use API Gateway to generate an SSL certificate and use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway. This allows your HTTP backend to control and accept only requests originating from Amazon API Gateway, even if the backend is publicly accessible.
The SSL certificates that are generated by API Gateway are self-signed and only the public key of a certificate is visible in the API Gateway console or through the APIs.
Since Nov 30, 2017 Amazon API Gateway Supports Endpoint Integrations with Private VPCs.
You create an endpoint to your VPC by setting up a VPC link between your VPC and a Network Load Balancer (NLB), which is provided by Elastic Load Balancing. The NLB send requests to multiple destinations in your VPC such as Amazon EC2 instances, Auto Scaling groups, or Amazon ECS services.
How to Set up API Gateway Private Integrations