I deployed a lambda to AWS and created an api gateway to access it. I don't want the API gateway to be public because the lambda is only called from one of my ec2 instance. What is the best way to configure it to secure this API? My ec2 instance needs public IP address since I have DNS configure route pointing to it.
Since you are only using the AWS Lambda function from a single Amazon EC2 instance, there is no need to use API Gateway. (API Gateway is normally used to expose an API to a large number of users.)
You can instead invoke an AWS Lambda function directly:
You can use the AWS Command-Line Interface (CLI) by calling aws lambda invoke
You can also use an AWS SDK from a programming language such as Python, Java and Node.js
I would recommend using Private API in Amazon API Gateway,
This will secure your API Gateway and make it accessible only to the resources within your VPC.
It can be further secured using the Security group and Resource Policy for a Private API.
You will need to create an Endpoint to use a Private API Gateway though.
Detailed setup -
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
Related
We have an app consisting of AWS Lambda (and API Gateway) and the Lambda uses credentials stored in AWS Secrets Manager.
Do we need a VPC in this scenario? Or is the communication between the Lambda and Secrets Manager secure since they are on AWS network (and presumably not exposed to the internet)?
AWS PrivateLink can be used to talk to Secrets Manager if the Lambda is in a VPC. But if the Lambda is not in a VPC already, then is this setup considered insecure?
Thanks!
Yes, it's possible. No, it's not insecure. No, it doesn't need VPC (unless the Lambda function itself needs VPC because the Lambda function needs access to private resources e.g. a database server).
If the Lambda function is not configured to connect to your VPC then it will have outbound internet access and can reach the AWS Secrets Manager endpoints over the public internet. That communication is encrypted over TLS/HTTPS.
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
I have a ECS fargate container running inside a private VPC which doesn't have internet access. It needs to invoke a lambda via AWS SDK. Based on my understanding, AWS creates a default public endpoint for the lambda and when I call invokeLambda method the traffic will always go to internet. If my understanding is right, that means my Fargate container won't be able to call the lambda. Is it right?
If it is right, what is the alternative solution is? The goal is that the traffic won't go to internet in any chance.
Can I create a private link endpoint for my lambda?
Or create a API gateway with VPC endpoint which connects to lambda?
If my understanding is right, that means my Fargate container won't be able to call the lambda. Is it right?
Yes. Without NAT gateway or instance, you won't be able to directly invoke the lambda function from private subnet.
Can I create a private link endpoint for my lambda?
Sadly no. There are not VPC interface endpoints for lambda.
Or create a API gateway with VPC endpoint which connects to lambda?
Yes, this should be possible by creating private API gateway. The private API would be only accessible from within your VPC. But API gateway to lambda will still probably go over the internet.
The Security Overview of AWS Lambda whitepaper writes:
Invocations from Amazon Kinesis and DynamoDB streams, SQS queues, Application Load Balancer,and API Gateway follow the request-response path
For request-response invocations, the payload passes from the API caller—such as AWS API Gateway or the AWS SDK—to a load balancer, and then to the Lambda invoke service. This service identifies an execution environment for the function, and passes the payload to that execution environment to complete the invocation. Traffic to the load balancer passes over the internet, and is secured with TLS.
I have gone through the Amazon API gateway and lamda and its i understand the combination as lamda proving computation.
Is lamda is providing computation only or it can connect to EC2 linux instance and further to RDS?
Or Amazon API gateway direct connect to EC2 Linux instance?
I am confused?
Can any one help me on this?
Thanks
So in my opinion you are looking at serverless framework which is an API gateway which is configured with stages that send requests to your lambda function.
There is no need for Ec2 instance usage. Lambda function will establish connections with your database and make calls to it. Your database setup can be either private or public.
Additionally, on top of your api gateway you can implement something like cloudfront distribution and WAF which will provide further enhancements to your setup.
Is there a way to set up api gateway endpoint for lambda functions to be only accessible internally ? I don't want it to be expose to the public.
API Gateway has released a new Private Endpoint feature, which makes this possible.
The API Gateway Private Endpoint will only be accessible from VPC and it requires setting up an Interface VPC Endpoints which will be used to access the endpoint. Also, it will be required to setup a Resource Policy to grant access to the API from your VPCs and VPC endpoints.
In order to access the API endpoint from your on premises network, you can either establish a AWS Direct Connect connection or AWS VPN Connection from your on premise to the Amazon VPC.
Unfortunately, no. At the moment API Gateway Invoke URLs are public. Making them private is not possible.
You can secure your API Gateway Rest API using either IAM roles or custom authorizers.
Yes, now you can configure AWS API Gateway with private link. follow the link, but you can only access the endpoint from VPC and if you want to access that end point from your data center you will need Direct Connect.