Menu
I have my internal network in AWS VPC(10.0.0.0/16) and I want to create AWS API Gateway within this private network, thus no public hostnames/ips.
Here is what I tried
service: apollo-lambda1
provider:
name: aws
runtime: nodejs8.10
role: arn:aws:iam::xxx:role/admin-api-lambda-role
region: ap-southeast-1
private: true
vpc:
securityGroupIds:
- sg-xxxxx
subnetIds:
- subnet-xxx
sg-xxxxx is a security group that allows only ips from 10.0.0.0/16 .It doesn't help.
I also tried adding, but it sill exposes a public IP to the world...
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Condition:
IpAddress:
aws:SourceIp:
- "10.0.0.0/16"
UPD: Tried this combination, didn't work out. Now dns name cannot be resolved
endpointType: PRIVATE
resourcePolicy:
- Effect: Allow
Principal: '*'
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Condition:
IpAddress:
aws:SourceIp:
- some ip here
412
I know that has been a while since this question was asked, but I wanted anyway to write an answer.
Using the resource policy :
provider:
name: aws
runtime: nodejs12.x
region: us-west-2
stage: dev
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Condition:
IpAddress:
aws:SourceIp:
- "10.0.0.0/16"
Using a private endpoint with a resource policy and a VPC Endpoint
provider:
name: aws
runtime: nodejs12.x
region: us-west-2
stage: dev
endpointType: PRIVATE
vpcEndpointIds:
- vpce-XXXXX
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Condition:
IpAddress:
aws:SourceIp:
- "10.0.0.0/16"
At the moment of writting this solution, I am using the first example with extra IP Addresses because is the solution that I have in order to test with out QA Team the endoints from a fixed IP address. I hope that this solution helped someone.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
