Menu
Ideally, I'd like to lock down my ALB so that it can only be accessed by API Gateway.
I've looked into whether I can associate API gateway with an Inbound Rule - however, I have found that API Gateway cannot be associated with an IP address, or a security group. I've also looked into an Internal facing ALB, but I've been unable to get these working as VPC link only supports NLB.
Any help will be greatly appreciated - I've been looking in the Gateway Settings but cannot find this option.
What is the best way to approach this so that the ALB is as restricted as possible?
450
For a web application or other content that's served by an Application Load Balancer in Elastic Load Balancing, CloudFront can cache objects and serve them directly to users (viewers), reducing the load on your Application Load Balancer.
Inject a custom HTTP header at the Integration Request of a API GW HTTP Integration method. Use the static value as explained in Amazon API Gateway API request and response data mapping reference.
'STATIC_VALUE'. The STATIC_VALUE is a string literal and must be enclosed within a pair of single quotes.
As in the case with AWS documentations, it is confusing if we should use the "integration.request.header." format. If setting up in the AWS console, no need to type "integration.request.header." Just type the header name only. Make sure the header value is single quoted
However, when using a tool like CDK or CFN, then we need to use the "integration.request.header." part.
cdk_api_method: aws_apigateway.Method = cdk_api_resource.add_method(
http_method="post",
integration=aws_apigateway.HttpIntegration(
url=url,
http_method="post",
proxy=True,
options=aws_apigateway.IntegrationOptions(
request_parameters={
"integration.request.header.{}".format(HTTP_HEADER_X_VALIDATION_CLIENT_NAME): "'{}'".format(HTTP_HEADER_X_VALIDATION_CLIENT_VALUE)
}
)
)
)
Setup up WAF to verify the HTTP header value and associate the ALB to WAF ACL.
# https://github.com/aws-samples/wafv2-json-yaml-samples/blob/master/JSON/rule-001.json
aws_wafv2.CfnWebACL.RuleProperty(
name='header-x-validation-client',
action=aws_wafv2.CfnWebACL.RuleActionProperty(
allow={}
),
statement=aws_wafv2.CfnWebACL.StatementOneProperty(
byte_match_statement=aws_wafv2.CfnWebACL.ByteMatchStatementProperty(
field_to_match=aws_wafv2.CfnWebACL.FieldToMatchProperty(
single_header={
"Name": HTTP_HEADER_X_VALIDATION_CLIENT_NAME
}
),
positional_constraint="EXACTLY",
search_string=HTTP_HEADER_X_VALIDATION_CLIENT_VALUE,
text_transformations=[
aws_wafv2.CfnWebACL.TextTransformationProperty(
priority=0,
type="NONE"
)
]
)
),
visibility_config=aws_wafv2.CfnWebACL.VisibilityConfigProperty(
sampled_requests_enabled=True,
cloud_watch_metrics_enabled=True,
metric_name='waf-rule-header-x-validation-client'
),
priority=0
)
The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.
Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
