Reputation: 4339
AWS API gateway and Load balancer secure communication
We are using AWS API gateway and a load balancer in front of our EC2 cluster. Gateway needed load balancer to be public hosted and thats why we put load balancer in public subnet of VPC and all of our EC2 instances in private VPC.
The problem we are facing that as our load balancer is in public VPC, how we can invalidate our requests not coming from our API gateway. We just want to pass through the requests from load balancer to EC2 instances if and only if it is coming through our API gateway.
When I explored the possible resolution someone suggested that use public client certificate from gateway to validate your requests. I was able to get this public certificate from gateway but did not find any way to configure it in load balancer.
Upvotes: 1
Views: 2187
Answers (3)
Reputation: 4532
The proper solution nowadays is to use a VPC link with a Network Load Balancer from AWS. You setup a Network Load Balancer in front of your VPC resource (e.g. an EC2 instance) and you create an API Gateway VPC Link. In the API Gateway integration you choose VPC Link and you are able to access the Network Load Balancer and in extension your private EC2 instance.
Upvotes: 1
Reputation: 4339
On further analysis, I came across with following concerns with AWS API gateway approach.
- VPC has huge impact on lambda container initialisation time when the lambda container is not reused or it is cold. As per others experience it might take 10 to 15 seconds and it might delay response time. Even if it is a hot lambda, a time delay cost is associated when you access VPC from it.
- Lambda need sufficient number of ENI and private IPs range to support parallel execution. It means if at runtime , load increases and if there would not any ENI free, the request will be failed. We are not sure if we can dynamically increase the ENI at runtime based on requests load.
- If there will be any error or timeout due to unavailability of ENI, AWS does not create any log for it and you may be clueless about source of error.
Upvotes: 0
Reputation: 19728
You cannot verify the client certificate at Load Balancer level. You need to validate it at container level.
There is another approach you can follow by keeping the Load Balancer private and using a Lambda function(which is placed inside VPC) to proxy to the Load Balancer, where you can validate the client certificate.
Upvotes: 0
Related Questions
- How to integrate API Gateway with internal ALB
- Connecting AWS Api Gateway and private ALB
- how to add AWS API gateway with application load balancer for ECS?
- API gateway and load balancer concept
- AWS API Gateway - access internally
- Using Application Load Balancer with HTTPS
- Securing an existing API behind AWS API Gateway
- AWS API Gateway - Use Client-Side SSL Certificates
- How do I combine AWS API Gateway and Application Load Balancer for HTTPS outside of us-east-1?
- Proxy calls to SSL endpoint via AWS API Gateway