I set up a Elastic Beanstalk flask server and have a public url. I want to restrict EBS to access publicly but only through API Gateway.
Can someone help me a simple easy procedure to accomplish this. thank you.
Option One - Certificates
You can generate a self-signed certificate on your API gateway, then give the EBS instance the public key. When your EBS instance is called, your server checks that it has been called by the API gateway (by verifying the certificate).
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Option Two - Virtual Private Cloud
Setup a VPC with your API gateway and EBS instance on a private subnet. Allow public access to the API gateway only.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc.html
Related
Is there any way to force the use of endpoints (interface endpoints or gateway endpoint) in a VPC or AWS account to make sure EC2 instances never use public internet to connect to public facing services in the same region.
If not, is there at least any way to audit / detect which EC2 is communication with a public facing service over the public internet ?
I would like to reach out my API Gateway (edge optimized) from an EC2 without an internet connection. It is possible?
I have attached a private link from my EC2 VPC to API Gateway and I'm able to resolve my regional API gateway but not my edge API gateway.. Why?
Thanks a lot
Your EC2 instance will need access to the public internet (through IGW) to be able to make HTTPS requests and reach any public API (regional or edge-optimized). If your use-case demands the communication to be internal to the VPC (no public internet access), you should consider using private APIs.
I have Public and Pvt Subnets in my VPC. I have some services running on EC2 in Pvt subnet, that needs to be accessed by external/mobile resources. How do I do this- is VPCLink and NLB the way to do it, or any other way, create some access point in Public subnet (??). Lambda seems to be the answer (for almost everything in AWS now) - not sure even how that access works for resources in Pvt Subnet.
Also the same Pvt Subnet has access external resources (outside of AWS) - how do I do this using the API Gateway?
Not quite understanding how the API-Gateway (and Lambda) is situated vis-a-vis - VPC and subnets- and how the network access control functions- can they access Pvt subnets directly or not. The documentation is somewhat silent on this, only talks about IAM - if someone can explain this. Found this on Lambda: AWS Lambda: How to setup a NAT gateway for a lambda function with VPC access.
The documentation says "API Gateway allows you to securely connect ... publicly addressable web services hosted inside or outside of AWS". My resources in Pvt subnet are not publicly addressable - I suppose.
Thanks
Are the services you have running on EC2 offering an API? API Gateway is meant to proxy API requests. It's commonly used in conjunction with Lambda to allow Lambda functions to process HTTP requests. An API Gateway is not necessary for your service. You can simply use an Application Load Balancer (ALB) or an Elastic Load Balancer (ELB). They can reside on a public subnet while your service remains in the private subnet. You can use security groups and VPC routing tables to allow communication from your public ALB/ELB to your private EC2 service.
With Ben’s help here is the answer
Introducing Amazon API Gateway Private Endpoints
Inbound: Accessing services hosted in Private Subnet via API Gateway
Endpoint integrations inside a private VPC. With this capability, you can now have your backend running on EC2 be private inside your VPC without the need for a publicly accessible IP address or load balancer.
So essentially API Gateway can access published endpoints, even in Private Subnets.
OutBound: Accessing externally hosted services from Private Subnet via API Gateway
API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.
So you simply need to create a VPC endpoint in the Pvt Subnet for the API Gateway.
We have a application running in Windows EC2 and we dont have any ELB or ALB for the application.
Can we use AWS private CA on this?
Please refer this URL:
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
As per this URL, we must use Elastic load balancing/Amazon cloud Front/ AWS Elastic Beanstalk/ Amazon API Gateway AWS CloudFormation services to integrate AWS certificate manager. We are not using any of these services in our application.
Thanks,
Subhadeep
ACM Private CA certificates can be used with any platform, inside or outside of AWS, but this service creates a private certificate authority -- for use in a private infrastructure, like a corporate network.
This is not something used for public web sites.
A private CA handles the issuance, validation and revocation of private certificates within a private network (i.e. not the public internet).
https://aws.amazon.com/certificate-manager/faqs/#acm-private-ca
I have an api that I deploy using elasticbeanstalk, and I wish to make it completely internal so that it cannot be accessed from the public Internet. I am doing this because I only want the service to be accessible via our other services (that each run in their own VPCs and are all deployed via elasticbeanstalk).
Is it possible to use an internal ELB with elasticbeanstalk? Is this even what I need to do? Can VPC peering help me here?
The ultimate aim is that the api needs to have some http resources public and some private. My approach was going to be to make the service private and expose any public resources via API Gateway, but perhaps this is not the right solution. Would it perhaps be better to expose everything through API Gateway, require IAM auth on the private resources and enforce in the api that requests come from API Gateway?
Yes, you can add an ELB to any VPC, including those on private address ranges that are not accessible to the internet.
When configuring your Beanstalk instance, choose an appropriate VPC, unselect "Associate Public IP Address", place an ELB in at least one private subnet and select "Internal" for the ELB visibility.
The VPC configuration page looks like: