Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway?

Tags:

amazon-web-services

aws-api-gateway

amazon-vpc

I have a situation when my product(some Web API) is living inside of VPC, i.e. with no any any external access. I'd like to expose the part of this APIs(just a couple of HTTP methods) to be accessible from the internet. I'm trying to achieve this using AWS API Gateway but it looks like I cannot make internal ELB endpoint the API Gateway resource. Any ideas how can I do this?

Thanks, --Vovan

like image 669
Vovan Kuznetsov Avatar asked Sep 19 '15 17:09

Vovan Kuznetsov

1 Answers

This was originally not possible, and then was solved with support for client certificates that API Gateway could use to authenticate itself to your services. This was a good solution, and is still available, but still required your services to be exposed -- at least in some sense -- to the Internet.

In November, 2017, AWS released a new capability that allows you to actually provision a network path between API Gateway and your internal services.

You can now provide access to HTTP(S) resources within your Amazon Virtual Private Cloud (VPC) without exposing them directly to the public Internet. You can use API Gateway to create an API endpoint that is integrated with your VPC. You create an endpoint to your VPC by setting up a VPC link between your VPC and a Network Load Balancer (NLB), which is provided by Elastic Load Balancing.

https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/

Historical context follows.

As of now, there is no simple and foolproof way to do this, because your services that are accessible to API Gateway need to be accessible via/exposed to the public Internet and there is no built in trust mechanism by which you can be assured that such a request actually originated from any API Gateway deployment, much less your API Gateway deployment.

Amazon seems to have solved the issue of authenticating requests to your back-end services as having assuredly come, not only from API Gateway, but from your API Gateway instance. As before, endpoints still need to be exposed to the Internet, since the source IP address is not predictable -- but API gateway now supports client SSL certificates, which the back-side of API Gateway uses to authenticate itself to the front-side of your back-end service, that API gateway is calling.

Q: Can Amazon API Gateway work within an Amazon VPC?

No. Amazon API Gateway endpoints are always public to the Internet. Proxy requests to backend operations also need to be publicly accessible on the Internet. However, you can generate a client-side SSL certificate in Amazon API Gateway to verify that requests to your backend systems were sent by API Gateway using the public key of the certificate.

Q: Can I verify that it is API Gateway calling my backend?

Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.

— https://aws.amazon.com/api-gateway/faqs/#security

When you generate a client certificate in the API Gateway console, you're provided with the public key for that certificate. For security, the private key is retained by API Gateway and is not accessible to you. API Gateway will present the public key to your back-end when negotiating SSL. Any peer not presenting that same public key is not API gateway, and your back-end should deny SSL negotiation.

If a malicious actor should ever come into possession of the public key, they would not still be able to communicate with your back-end over SSL, because they would lack the mated private key, which is only known to API Gateway. (Your side of the interaction would be encrypted using your SSL certificate and it's mated private key, which is of course, known only to you.)

This capability addresses what previously appeared to be a significant limitation of the utility of API Gateway's HTTP proxy functionality... a limitation of such significance, in fact, that when I discovered the revised information, above, I began to doubt myself: Had this been there all along, and I had somehow managed to overlook it? The Wayback Machine says no, it's new. This information was added in September, 2015.

like image 85
Michael - sqlbot Avatar answered Jan 31 '23 13:01

Michael - sqlbot
Sign in to Comment

Related questions

AWS batch - how to limit number of concurrent jobs
Amazon Athena: Convert bigint timestamp to readable timestamp
CloudFront how to setup reverse proxy on an existing distribution serving website from S3
How to set proxy on AWS Java SDK v2 Apache client
What the settings mean in AWS Cognito User Pool App Client
How can I access my AWS MSK managed kafka queue from my local machine and EC2 instances in other regions
AWS SSL with Google Domain for static website in S3
How to set Cache-Control Header in amazon cloudfront?
How to throttle AWS Lambda or API Gateway by IP?
What permission is needed to use S3 listObjectVersions in AWS?
Troubleshooting ssh login failure for AWS EC2 using powershell
How do I get AWS EC2 to not reset my sshd_config file?
Pushing to an existing AWS Elastic Beanstalk application from the command line
Does AWS Redshift supports postgis extensions?
EC2 with socket.io
What are the advantages of HAproxy over AWS ELB?
Docker build npm error logs
Creating Signed Cookies for Amazon CloudFront
login using "ec2-user" instead of root using user data in aws
How to download GZip file from S3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!