I have Elastic Beanstalk (EB) with Elastic Load Balancers (ELB) in public subnet and EC2 instances in private subnet. API Gateway sends requests to ELB via HTTP.
I've set the Client-Side Cert. on EB that only requests from API Gateway are acceptable, so access to my EB is restricted.
Do I need set also typical HTTPS between API Gateway and EB? Or the configuration with HTTP is save enough when access to EB is restricted only to API Gateway?
While HTTPS is not strictly necessary, it is definitely preferred.
There is currently no way to restrict access to your EB such that only API Gateway can access it. We are working on VPC support which would obviate the need for making your EB publicly accessible (and with HTTPS), but I can't comment as to when this would be available.
In the meantime, our current suggested best practice is HTTPS with your backend configured to accept client certificates.
Related
I have an API deployed to an EC2 instance (AWS), which is based on HTTP.
Now, there is a front-end that wants to access my API. The front-end is a web app hosted on another server, which is based on HTTPS. Due to the difference in the protocols (at least it is what I can guess), the browser complains about the security.
Now I want to create an API gateway, which connects HTTPS and my HTTP API.
Is there an easy way to do it with AWS?
There are some simple methods to make secured connection.
No extra cost. Create free SSL certificate using cert bot or something else, integrate it in your application API in EC2 (in case you point your app dirrectly to EC2 instance).
No extra cost. Create free SSL certificate with API Gateway and configure your API to use that certificate.
(Recommended) Generate certificate using AWS Certificate Manager. Create a load balancer and create HTTPS listener on port 443, add that cert to the listener and. Create rule in that https listener to forward request to a target group with your instance (or attach an auto scaling group). You can also use method 1 to make connection between your EC2 and your load balancer secured.
Similar to method 2, but add certificate to CloudFront, make your load balancer an endpoint of Cloudfront.
If you want to use API Gateway, It's recommended to use Lambda instead of EC2. Lambda is high availability, lower cost, automatically scalable and easier to integrate with API Gateway.
Try this if you still want to use EC2
I am trying to understand the use of API Gateway along with AWS ALB (Ingress Controller) for the EKS cluster.
Let's say,
there are 10 microservices in the AWS EKS cluster running on 10 pods. The EKS cluster is in Private VPC.
I can create Kubernetes Ingress which will create an ALB and provide rule-based routing. The ALB will be in Public VPC and I believe, AWS will allocate a public ip to the ALB. I can configure the ALB behind Route53 to access using the domain name. My understanding says that ALB supports multiple features including host or path based routing, TLS (Transport Layer Security) termination, WebSockets, HTTP/2, AWS WAF (Web Application Firewall) integration, integrated access logs, and health checks.
So, security wise there should not be any challenge. Am I wrong?
Please refer Link of the above mentioned solution architecture.
Is there any specific use case where I need to use AWS API Gateway in front of AWS ALB in the above-mentioned architecture?
What are additional benefits the AWS API Gateway has along with AWS ALB?
Should I put AWS ALB in the Private VPC if decided to use AWS API Gateway in front of that?
With API GW you will get rate limiting, throttling and if you want to authenticate and authorize requests based on OAUTH or any other auth model that can be done with API GW.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
I want AWS gateway API to be entry point of application cluster. I have 20+ machines running in my VPC which are required for various purposes (RMQ, Worker, etc). I was expecting gateway api to offload the SSL, authenticate request with AWS signature and then forward it to my ELB. And then, some way to secure my internet facing ELB to accept requests just from API gateway. Turns out it's not possible. I have to run SSL on my deployed NGINX server and use AWS client certificate authentication to validate the origin of request. This still keeps my end points exposed to DDos and there is overhead of SSL as well.
Now, with newly launched network load balancer and VPC link at gateway api level is is possible to achieve above?
Suppose I have a RESTful API that sits on a Windows EC2 cluster, behind an ELB. The existing API is a .NET application and hosted in IIS.
I want to try and put AWS API Gateway in front of the existing API, so that security, scalability, etc. is handled by AWS. Essentially set up AWS Gateway as a HTTP proxy to the existing API.
From the AWS documentation it states that the existing API must be made public. But it should be secured by verifying the calls are originating from Amazon API Gateway by checking the client side certificate.
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
However the SSL connections for the existing API are terminated at the ELB. Hence when we check the client certificate, on the request, in code - it doesn't exist.
What would need to be done to get the client certificate at the EC2/IIS/code level?
Or is there an alternative way to secure the existing API and ensure AWS API Gateway can still communicate with it?
You will need to configure your set up your ELB to do TCP based load balancing and terminate SSL connection on your IIS/EC2 hosts. This will require distributing the SSL certificate to the hosts and configuring them to bind the certificate to the appropriate port.
Usually people prefer to offload SSL at their API gateway to save administrative overhead since ELB termination effectively moves the management to a single point in the infrastructure, rather than requiring management of the SSL certs on multiple servers.
It also helps if you are having a EC2 cluster managed by some orchestrator [ECS, kubernetes, Docker Swarm]. As you already mentioned that API gateway to load balancer is secured by SSL certificates, you can add access policy at load balancer to provide required permission to interact with your EC2 cluster, while your EC2 exist in private VPC, you may don't need to add certificates to your EC2 machines as all communication is already secured.
Hope it make sense.