AWS API Gateway IP traffic restrictions - using DNS instead of IP address

Question

I currently have an AWS API Gateway that is being used by a client as a dependency resource for the client's API application. The client's API application is currently hosted in Azure and is load-balanced.

Given that AWS API Gateway's Resource policy applies Allow/Deny API traffic based on source IP Address or range, can I use my client's hosted DNS rather than an actual IP address as an IP item entry on the policy (see policy example below)?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": [
            "arn:aws:execute-api:region:account-id:api-id/*"
        ]
    },
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": [
           "arn:aws:execute-api:region:account-id:api-id/*"
        ],
        "Condition" : {
            "IpAddress": {
                "aws:SourceIp": ["192.0.2.0/24", "clientsite.azurewebsites.net" ]
            }
        }
    }
]

}

If not, what would be a better way to allow a cloud-hosted application to access an AWS API Gateway resource?

Many thanks!

Answer 1

The AWS document states

aws:SourceIp key. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB8:1234:5678::/64)

So I suspect it will not work.

Other ways to secure the request at API gateway level

• The API consumer can sign the request ( you must provide the keys ), or
• The API consumer can force all their traffic to go through one IP ( using NAT gateway equivalent in Azure )
• The API consumer can use one of the API key you provide