I am new to istio and wanting to configure egress gateway to access external service with mTLS enabled.
First, how can I set secret for cert? I was trying to use bsdssl.com cert but no luck. Anyone have suggestion on how to test mTLS thru egress gateway.
I am also not well verse with certificates.
Thank you
Your question is not very clear, but if you are asking how to configure an egress gateway to access an mTLS secured external service, you can find an example here.
Related
I have a running private EC2 instances (Windows Server 2012 IIS) behind a public Application Load Balancer. while I can access the web services in the internet via port 80/HTTP, I wanted to allow 443/HTTPS as well but I wanted my third party WAF to offload the SSL (Such as Cloudflare, Akamai).
I've already setup the SSL offloading on the WAF, on the AWS ALB I've enabled the ALB security group to allow port 443/HTTPS from 0.0.0.0/0 but to no avail (although I can still access the web via port 80/HTTP). will really appreciate if you could point me on what steps do I need in AWS ALB to allow HTTPS behind a WAF. I tried also to create a 443 Listener to the AWS ALB, however it still requires me to have my SSL cert imported as well hence redundant since in essence the ALB will SSL offload as well.
This is the basic overview of my design
Cloudflare WAF ---> AWS ALB ----> Private EC2 Instances/Servers
Really appreciate all your feedbacks! Thank you
To make the infrastructure, you should remove the HTTPS(443) listener from ALB and use HTTP(80) traffic between third party WAF and ALB.
However, the traffic between WAF and ALB will be insecure in this way. I am also building similar infrastructure and still trying to figure out a more secured solution.
I am trying to understand the use of API Gateway along with AWS ALB (Ingress Controller) for the EKS cluster.
Let's say,
there are 10 microservices in the AWS EKS cluster running on 10 pods. The EKS cluster is in Private VPC.
I can create Kubernetes Ingress which will create an ALB and provide rule-based routing. The ALB will be in Public VPC and I believe, AWS will allocate a public ip to the ALB. I can configure the ALB behind Route53 to access using the domain name. My understanding says that ALB supports multiple features including host or path based routing, TLS (Transport Layer Security) termination, WebSockets, HTTP/2, AWS WAF (Web Application Firewall) integration, integrated access logs, and health checks.
So, security wise there should not be any challenge. Am I wrong?
Please refer Link of the above mentioned solution architecture.
Is there any specific use case where I need to use AWS API Gateway in front of AWS ALB in the above-mentioned architecture?
What are additional benefits the AWS API Gateway has along with AWS ALB?
Should I put AWS ALB in the Private VPC if decided to use AWS API Gateway in front of that?
With API GW you will get rate limiting, throttling and if you want to authenticate and authorize requests based on OAUTH or any other auth model that can be done with API GW.
think I have a very unusual request.
We want to use a AWS network loadbalancer to send traffic to 2 endpoints in a NONE AWS environment. So the endpoints are not in an AWS VPC.
Requirment is that calls to the 2 endpoints must be round robin. Both endpoints are HTTP POST endpoints and they have a different hostname but the URL prefix is the same. Something like this.
Endpoint 1 = http://www.example1.com/test/uri and Endpoint 2 = http://www.example2.com/test/uri .
I am struggling in the AWS console and tried things with the AWS network loadbalancer and create a targetgroup and a api gateway with a http API and a Rest API but I can't get it working.
I think it is not possible to achieve such a configuration in AWS, but maybe somebody has an idea how to solve this ?
You can't do this directly. It is explained in AWS docs:
You can't specify publicly routable IP addresses.
You would have to setup VPN or some other type of proxy on AWS rough your connections to these the public endpoints.
I am using AWS API Gateway to connect to Kubernetes Ingress via VPC Link. I want to set up TLS connection between API Gateway and Ingress. How can I do this in AWS? All the external connections to API Gateway uses a proper public certificate and SSL termination is happening at API Gateway level. I am trying to avoid sending unencrypted traffic from API Gateway to Ingress. Is it possible to set up a self-signed or ACM based certificate from API Gateway?
Consider using Ambassador for that purpose. You can read about it in this tutorial.
Additional links:
Enabling HTTPS in Ambassador
Ambassador on AWS
I am working with AWS-API-Gateway and an Elastic Beanstalk environment. What I want to make sure in the Elastic Beanstalk environment is that the request is served only for AWS-API-Gateway.
So Amazon suggested for client-side SSL certificate authentication. The problem I'm facing in this is that even if I configure Amazon API gateway to provide a certificate on a https connection, it will give the certificate to the load-balancer and load-balancer will give its certificate to my ec-2 instance.
So in this scenario, I never receive the SSL certificate of API gateway. Please help me here or provide me with a better solution.
I don't want to remove my load-balancer in the scenario as it is helpful for me.
As far as I know, the key with using ELB is to turn the ELB to TCP mode (not HTTP) so the SSL handshake is actually done on the EC2 instances. That way you can verify on the hosts and treat the ELB as just a simple TCP load balancer.
Some helpful info here Support for two-way TLS/HTTPS with ELB