API Gateway Static IP Address

amazon-web-services aws-lambda aws-api-gateway

14,093

Are you trying to limit access to your API-gateway-managed services or trying to limit access to other services that API gateway needs to call?

If you're hoping to limit access to API Gateway: The IPs of all AWS-managed services are subject to change, so you can only rely on their URLs. However, API Gateway does offer the ability to limit access to endpoints through their "API Keys" feature, which will require you to pass that key in an x-api-key header in your request.

One possible alternative, if you strictly need to limit based on IPs, would be to parse the IP address of the requester from the X-Forwarded-For header of the request that's sent to API Gateway and, if it doesn't match your allowed list, return a 403. This would not prevent you from getting charged for requests, but it would limit requesters' ability to access your data.

If you're trying to restrict access on services that your API gateway services need to call, then the serverfault link referenced above applies: Have your Lambda function execute within a VPC, which will cause public outbound traffic to have a static IP address -- namely, the gateway that your VPC subnets use.

14,093

Author by

Hexie

Fun, friendly person who enjoys people and learning new things. 2 philosophies: Nothing is impossible, something's are just a little harder. Try to learn something new everyday.

Updated on June 04, 2022

Comments

Hexie almost 2 years

I currently have an API setup within my API gateway that has a custom domain attached - https://customdomain.com/services/

I would like to know if this API would have a static IP address / range available and if so, how to get it, the reason for this is some additional security we'd like to set up on internal services.

I am not able to use the static domain name / address as an option - it has to be an IP address / range that is static?

Thank in advance
Ka Hou Ieong over 7 years

I don't think we should use x-api-key for authentication. If you want to secure the API on API Gateway, you can use AWS IAM auth, Custom Auth or Cognito User Pool. If you want to secure your backend HTTP endpoint, you can use Client Certificate.
Hexie over 7 years

@KaHouIeong Yep - that's a BIG no,no on using API keys for authentication, and that's coming direct from AWS themselves :) "API keys are not meant as a security mechanism for controlling access to an API"
rumdrums over 7 years

I guess I was wrong to use the term 'authentication' (edited answer accordingly), but they are certainly a way to limit access to your API.
falsePockets almost 5 years

@Hexie can you link to where that quote came from?
Hexie almost 5 years

@falsePockets I can't remember off the top of my head but from a quick search, it looks like it was found here: https://www.reddit.com/r/aws/comments/60k8sc/api_gateway_aut‌hentication/ which references this https://docs.aws.amazon.com/apigateway/latest/developerguide‌/welcome.html I suspect AWS have moved pages around and although it's still there, it might be moved and reworded.