Steven
Reputation: 911
Restrict direct API Gateway calls unless it's from CloudFront
We created a CloudFront in front of our APIs. Is it possible to restrict API calls other than coming from CloudFront?
Current setup:
Caller --> API Gateway Endpoint --> Lambda
Caller --> CloudFront Endpoint --> API Gateway Endpoint --> Lambda
We expect to have it like this only:
Caller --> CloudFront Endpoint --> API Gateway Endpoint --> Lambda
Upvotes: 2
Views: 1909
Answers (1)
James Dean
Reputation: 4451
Yes, WAF available for API gateway. 1. In CloudFront add a custom origin header 2. use WAF on API gateway and allow if request (CloudFront IP addresses + if header+value present). CloudFront IP addresses. http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
Upvotes: 4
Related Questions
- Getting 401 Unauthorized response when calling thru CloudFront endpoint
- Allow only CloudFront to read from origin servers?
- CloudFront in front of API Gateway (Private)
- How to allow only cloudfront to access my api (elb)load balancer hosted on ec2 in AWS?
- How to restrict api gateway rest api to CloudFront hosted S3 website
- How to restrict access to origin for CloudFront only?
- How to limit AWS API Gateway access to specific CloudFront distribution or Route53 subdomain
- AWS Cloudfront (with WAF) + API Gateway: how to force access through Cloudfront?
- AWS API Gateway behind CloudFront, forwarding headers?
- Integrating AWS API Gateway with Cloud Front without exposing origin