Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway?

14,728

Solution 1

This was originally not possible, and then was solved with support for client certificates that API Gateway could use to authenticate itself to your services. This was a good solution, and is still available, but still required your services to be exposed -- at least in some sense -- to the Internet.

In November, 2017, AWS released a new capability that allows you to actually provision a network path between API Gateway and your internal services.

You can now provide access to HTTP(S) resources within your Amazon Virtual Private Cloud (VPC) without exposing them directly to the public Internet. You can use API Gateway to create an API endpoint that is integrated with your VPC. You create an endpoint to your VPC by setting up a VPC link between your VPC and a Network Load Balancer (NLB), which is provided by Elastic Load Balancing.

https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/

Historical context follows.


As of now, there is no simple and foolproof way to do this, because your services that are accessible to API Gateway need to be accessible via/exposed to the public Internet and there is no built in trust mechanism by which you can be assured that such a request actually originated from any API Gateway deployment, much less your API Gateway deployment.

Amazon seems to have solved the issue of authenticating requests to your back-end services as having assuredly come, not only from API Gateway, but from your API Gateway instance. As before, endpoints still need to be exposed to the Internet, since the source IP address is not predictable -- but API gateway now supports client SSL certificates, which the back-side of API Gateway uses to authenticate itself to the front-side of your back-end service, that API gateway is calling.

Q: Can Amazon API Gateway work within an Amazon VPC?

No. Amazon API Gateway endpoints are always public to the Internet. Proxy requests to backend operations also need to be publicly accessible on the Internet. However, you can generate a client-side SSL certificate in Amazon API Gateway to verify that requests to your backend systems were sent by API Gateway using the public key of the certificate.

Q: Can I verify that it is API Gateway calling my backend?

Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.

https://aws.amazon.com/api-gateway/faqs/#security

When you generate a client certificate in the API Gateway console, you're provided with the public key for that certificate. For security, the private key is retained by API Gateway and is not accessible to you. API Gateway will present the public key to your back-end when negotiating SSL. Any peer not presenting that same public key is not API gateway, and your back-end should deny SSL negotiation.

If a malicious actor should ever come into possession of the public key, they would not still be able to communicate with your back-end over SSL, because they would lack the mated private key, which is only known to API Gateway. (Your side of the interaction would be encrypted using your SSL certificate and it's mated private key, which is of course, known only to you.)

This capability addresses what previously appeared to be a significant limitation of the utility of API Gateway's HTTP proxy functionality... a limitation of such significance, in fact, that when I discovered the revised information, above, I began to doubt myself: Had this been there all along, and I had somehow managed to overlook it? The Wayback Machine says no, it's new. This information was added in September, 2015.

Solution 2

It's somewhat of a circuitous path, but you can proxy your Web service endpoints that are in a VPC through a Lambda function. That Lambda function can be called directly from the API Gateway. This blog post gives details on how to do that.

Share:
14,728
Vovan Kuznetsov
Author by

Vovan Kuznetsov

Updated on June 04, 2022

Comments

  • Vovan Kuznetsov
    Vovan Kuznetsov over 1 year

    I have a situation when my product(some Web API) is living inside of VPC, i.e. with no any any external access. I'd like to expose the part of this APIs(just a couple of HTTP methods) to be accessible from the internet. I'm trying to achieve this using AWS API Gateway but it looks like I cannot make internal ELB endpoint the API Gateway resource. Any ideas how can I do this?

    Thanks, --Vovan

  • Akshay Dhalwala
    Akshay Dhalwala about 8 years
    As of a few weeks ago, Amazon has announced that they will be adding in support for targeting VPC resources from lambda. This seems like another alternative option to exposing select methods of your private api to a public endpoint via Gateway and it's lambda integration. aws.amazon.com/blogs/aws/…
  • Michael - sqlbot
    Michael - sqlbot about 8 years
    This is a good point. I watched the re:Invent 2015 live keynote webcast yet I don't remember hearing this point about VPC integration. Now I realize that when Dr. Vogels started talking about python, I assumed nothing meaningful would be discussed for several minutes, so I took a break to walk around and stretch. :) I'll update this when that functionality opens up.
  • Vovan Kuznetsov
    Vovan Kuznetsov almost 8 years
    Good to know, however using client certs for authentication looks more like work around, not real answer. Internal APIs are still exposed outside so nothing protects it from some DOS attacks like syn-flood etc
  • Ricardo Riveros
    Ricardo Riveros over 7 years
    Agree with the above poster. One of the nice features of API Gateway is that it protects the api from some DOS attacks. But I don't see the point in this is the Backend EC2 instances are also exposed to the internet. API Gateway should work like Elastic Load balancer and work with your VPC.
  • Michael - sqlbot
    Michael - sqlbot over 7 years
    As has been noted, Lambda functions can now access resources directly inside VPC. Similar integrations for API gateway have not been mentioned, but might be coming down the pike. Of course, you could use API gateway > Lambda > VPC resource, with a commensurate increase in cost and complexity. Your API interface could also be firewalled from all but the AWS IP space for your region, ensuring that SYN floods, etc, could only originate from within AWS, which should be quickly shut down once reported to AWS support.
  • Hexie
    Hexie about 6 years
    Please help improve your answers by adding examples and not just links to other posts. Thanks
  • Hexie
    Hexie about 6 years
    No need to take such offence, I came across this thread and found the entire thing useful, however, would have loved an example for what you explained. Just feel a complete answer would have been that much more beneficial.