Is it possible to restrict specific HTTP METHODS at elb level?
we want to allow only HTTP GET through AWS elb.
I checked AWS docs and googled but didn’t find any appropriate solution.
If it is not possible, is there any other AWS component using which we can achieve it?
We just want to restrict GET calls alone go through ELB , so that the consumers can only retrieve data.
Thanks a lot for your help.
No you cannot achieve HTTP method restriction from load balancer. But you can achieve that using AWS Cloud Front.
What you can do is create a Cloud Front distribution using the ELB as the origin and select just the GET method in the "Allowed HTTP Method" in Cloud Front Distribution setting. Check screenshot below.
Related
Okay so here is my requirement. I want to have end points for my customers like so:
https://customer-a.mydomain.com
https://customer-b.mydomain.com
Now, when we access the customer-a endpoint above, I expect AWS to route the request to customer A's ECS Fargate service which is load balanced by https://customer-a-elb.mydomain.com
Similarly, when we access the customer-b endpoint above, I expect AWS to route the request to customer B's ECS Fargate service which is load balanced by https://customer-b-elb.mydomain.com
The plan was, from my DNS, I would route everyone who accesses *.mydomain.com (wild card DNS entry) to the same API Gateway in AWS. And let the API Gateway determine which load balancer to route to depending on the base URL.
I was hoping this can be easily achieved using AWS API Gateway but so far I have not been able to find a solution to implement this. From what I understand, it is only possible to do path based routing (as opposed to base URL based routing which is really what I need in this case).
Any hints would be much appreciated.
CLARIFICATION :
per my requirement, both the customers need to access the same path /myservice but on different ELBs. For e.g.
https://customer-a.mydomain.com/service1 -> https://customer-a-elb.mydomain.com/service1
https://customer-b.mydomain.com/service1 -> https://customer-b-elb.mydomain.com/service1
Somehow I think path based routing cant handle this scenario - as we can define only one route for a path.
API Gateway supports path-based routing. And you can configure which resources will receive incoming API requests based on the URL requested by the client. The following example may help you.link
I've been wasting about 12 hours going in circles in what seems like this:
I am trying to just make a simple static landing page in lambda and hook the root of a domain to it.
The landing page works, but api gateway didn't because AWS doesn't seem to set permissions properly by default ("internal server error" with API gateway and lambda on AWS) but now the gateway link works.
So the next steps were the following:
add a custom domain name in the api gateway
add the api mapping in the custom domain name
in route 53, create a wildcard certificate with *.domain.com and domain.com
create an A record that points to the api gateway with domain.com
create a CNAME record that points to the A record
and I get an error 403 with absolutely nothing in the log. I log both 'default' and '$default' stages in the api gateway.
I read https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/ which is all about looking at what's in the logs...
and I find the doc is both everywhere and nowhere because it's built as chunks of 'do this' and 'do that' without ever painting a whole picture of how each piece is connected to the other, or any graph with the hierarchy of services, etc. Reminds me of code that works only when you follow the example documented and breaks otherwise.
I'm sure I'm doing something wrong, but given the lack of logs and lack of cohesive documentation, I have no idea about the problem.
Not to mention that http doesn't even connect, just https.
Can anyone outline the steps needed to achieve this? essentially: [http|https]://(www).domain.com -> one lambda function
You cannot use API Gateway for an HTTP request; it only supports HTTPS.
From the Amazon API Gateway FAQs (emphasis mine):
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
You can use CloudFront to automatically redirect HTTP to HTTPS. How do I set up API Gateway with my own CloudFront distribution? provides a pretty simple walkthrough of connecting an API Gateway to CloudFront (you can skip the API Gateway portion and use the one you created). The important thing you'll need to do that is not in that document is to select Redirect HTTP to HTTPS.
If you truly need HTTP traffic you're probably going to need to go with an ALB.
Currently I have many AWS Lambda deployed already. And then I think of how to perform Performance Test for each of AWS Lambda. The solution I decided to go is
- Expose each API using AWS Api Gateway for each AWS Lambda
- Use JMeter (Neoload) to perform "performance test" for an API.
The approach is working fine except we need to use a generated endpoint from AWS like https://tl8drdruob.execute-api.us-west-1.amazonaws.com/dev. Now I would like to see if we can use Route 53 to route API or not.
We do have an host zone like abc.awsnonprod.mycompany.net. And I trying to add a record set to that host zone but I don't see any my API Gateway end points listing on Alias Target (API Gateway).
Please advice me if I missing something here.
Thank you
It seems you need to have the custom domain name to map the route 53 to API Gateway.
Please follow Set Up a Custom Domain Name for an API in API Gateway
The API Gateway custom domain feature is very likely what you want. It will create a special/internal Cloudfront distribution which you can use to manipulate the domain and path. You can even relate it to API Gateway stages. Then you could use Route 53 to CNAME or A (alias) your custom domain to the CloudFront distribution.
I am trying to use API Gateway to validate API keys, and then proxy to an AWS Elasticsearch cluster. I used HTTP {proxy+} mode to successfully do this by leaving Elasticsearch open to the public internet. But I want Elasticsearch to not be available except through the API Gateway, and I can't figure out a way to set the access controls. It's looking like I'll have to resort to using a Lambda to do the proxying but I had been hoping to avoid this and so I'm wondering if there's a way to set the access control policies to use the HTTP {proxy+} approach with appropriate access control.
How to integrate API gateway with application load balancer? I have integrated ECS with ALB, now I want to add API gateway in front without lambda. But I got confused how to connect API gateway with ALB..
What you're probably looking for is the HTTP Proxy Integration as described here
The basic idea is this:
Set up your API-Gateway with a greedy path like /{proxy+} on the ANY Method
Set the backend-endpoint to https://my-alb-endpoint.com/ecs-service-bla/{proxy}
(hopefully) success
To make this work, your backend needs to be exposed to the internet (or at least reachable for the API Gateway)!
You probably should keep your backend within a locked down VPC, but for this you're going to need to set up a private integration, which requires a Network Load balancer - this might be costlier, but would be the recommended approach.
Yes you can do . Inside API Gateway under integration type select HTTP and then provide complete path of ALB with endpoint resource.