I am trying to use API Gateway to validate API keys, and then proxy to an AWS Elasticsearch cluster. I used HTTP {proxy+} mode to successfully do this by leaving Elasticsearch open to the public internet. But I want Elasticsearch to not be available except through the API Gateway, and I can't figure out a way to set the access controls. It's looking like I'll have to resort to using a Lambda to do the proxying but I had been hoping to avoid this and so I'm wondering if there's a way to set the access control policies to use the HTTP {proxy+} approach with appropriate access control.
Related
I've been wasting about 12 hours going in circles in what seems like this:
I am trying to just make a simple static landing page in lambda and hook the root of a domain to it.
The landing page works, but api gateway didn't because AWS doesn't seem to set permissions properly by default ("internal server error" with API gateway and lambda on AWS) but now the gateway link works.
So the next steps were the following:
add a custom domain name in the api gateway
add the api mapping in the custom domain name
in route 53, create a wildcard certificate with *.domain.com and domain.com
create an A record that points to the api gateway with domain.com
create a CNAME record that points to the A record
and I get an error 403 with absolutely nothing in the log. I log both 'default' and '$default' stages in the api gateway.
I read https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/ which is all about looking at what's in the logs...
and I find the doc is both everywhere and nowhere because it's built as chunks of 'do this' and 'do that' without ever painting a whole picture of how each piece is connected to the other, or any graph with the hierarchy of services, etc. Reminds me of code that works only when you follow the example documented and breaks otherwise.
I'm sure I'm doing something wrong, but given the lack of logs and lack of cohesive documentation, I have no idea about the problem.
Not to mention that http doesn't even connect, just https.
Can anyone outline the steps needed to achieve this? essentially: [http|https]://(www).domain.com -> one lambda function
You cannot use API Gateway for an HTTP request; it only supports HTTPS.
From the Amazon API Gateway FAQs (emphasis mine):
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
You can use CloudFront to automatically redirect HTTP to HTTPS. How do I set up API Gateway with my own CloudFront distribution? provides a pretty simple walkthrough of connecting an API Gateway to CloudFront (you can skip the API Gateway portion and use the one you created). The important thing you'll need to do that is not in that document is to select Redirect HTTP to HTTPS.
If you truly need HTTP traffic you're probably going to need to go with an ALB.
How to integrate API gateway with application load balancer? I have integrated ECS with ALB, now I want to add API gateway in front without lambda. But I got confused how to connect API gateway with ALB..
What you're probably looking for is the HTTP Proxy Integration as described here
The basic idea is this:
Set up your API-Gateway with a greedy path like /{proxy+} on the ANY Method
Set the backend-endpoint to https://my-alb-endpoint.com/ecs-service-bla/{proxy}
(hopefully) success
To make this work, your backend needs to be exposed to the internet (or at least reachable for the API Gateway)!
You probably should keep your backend within a locked down VPC, but for this you're going to need to set up a private integration, which requires a Network Load balancer - this might be costlier, but would be the recommended approach.
Yes you can do . Inside API Gateway under integration type select HTTP and then provide complete path of ALB with endpoint resource.
I have a spring boot rest project which is running successfully, and I am getting success response on http://localhost:8080/students. How can I expose this SpringBoot REST API into a private AWS API GATEWAY? I have to expose the REST API service, and I have to give the endpoints to the client, to access this service. I have no idea how to present and create endpoints in AWS API GATEWAY!
API Gateway will work as mediator between clients and your application. So in the first place your application should be exposed so AWS Gateway could make a call to it.
If you are running application on your local pc you need to expose it to Internet by setting static IP and openning corresponding ports in firewall if you have one. This may works for debug/testing purpose, but in general it is bad because you will expose your application to Internet and client services would have possibility to connect to it directly, instead of gateway.
Other and more proper on my opinion would be to run your application in AWS EC2 instance or in AWS beanstalk. In this case you can configure private endpoint for your application and make it available only through API Gateway. Here you can find more details https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/
So let's suppose you have your application up and running and available for API Gateway. In this case you will need to perform :
Create API in API Gateway
Create resources, i.e. path /user would be user resource
For each resource create a method, i.e. GET, POST, etc. Select integration type HTTP for your methods and set the endpoint it will use
Deploy API to staging
I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?
So far I've found this, which is a disappointing dead-end for now.
Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:
IAM permissions, and here.
API Gateway custom authorizers.
Cognito User Pools.
If you need a custom domain associated with the API Gateway:
Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.
That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.
I have a confusing scenario. I am new to AWS. I have some available services written in java jersy and I have them deployed on an Ec2 instance.
I am asked to use API gateway to call these services rather than calling them directly. So for instance if I have a service as follows:
http://domainname/article/2
I want the front end to first call the following endpoint of API gateway:
https://my-api-id.execute-api.region-id.amazonaws.com/stage-name/article
and then the above API Gateway end point call the my service.
What I am thinking is there is a http proxy in integration type when I try to create the API gateway resource. I assume this can fit my purpose but I am not sure about it and I am totally confused.
Can anyone shed light on how I can achieve that?
In the API Gateway Console, create a resource (eg. /v1/user/info) and method (eg. GET/POST etc).
Select Integration Request
You can then configure a an HTTP Proxy or a Lambda function any other AWS Resource. In your case, you want this to be pointing to your EC2 hosted URL.