8

I want to use AWS Web Application Firewall service with AWS API Gateway. AWS WAF works only with AWS CloudFront distributions.

According to this post https://forums.aws.amazon.com/message.jspa?messageID=677382 API Gateway creates a CloudFront distribution behind the scenes. Although I don't see this distribution neither in the CloudFront console nor in the WAF console.

Is there any way to make use of the CloudFront distribution created by API Gateway for WAF?

medvedev1088
  • 3,645
  • 24
  • 42
  • 1
    You could put a cloudfront distro in front of your API Gateway and apply your WAF rules there: https://www.codeengine.com/articles/process-form-aws-api-gateway-lambda/ – Dave Maple Jan 02 '17 at 21:15
  • You can actually integrate WAF with API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html – lxg Dec 09 '22 at 23:15

3 Answers3

3

Unfortunately no, API Gateway does not provide access to the backing CloudFront distribution. To use WAF you would have to create a second distribution, which is inefficient but should functionally work.

jackko
  • 6,998
  • 26
  • 38
  • 1
    Now you can use Regional Endpoints and use your own CF distribution in front of that. For Regional Endpoints, API Gateway will not create that second CF distribution internally. For more details, see https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-regional-api-endpoints/ – Balaji Nov 03 '17 at 18:43
3

AWS API Gateway recently (around November,2018) added this feature https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

Denis Weerasiri
  • 1,120
  • 1
  • 8
  • 16
  • The information in this link is available virtually nowhere else - which I find frustrating, notably - "Important API Gateway requires a Regional web ACL." – user7504939 Sep 17 '20 at 20:36
1

Alright guys, i had a similar issue, what is best you can do at this stage is ,

have api gateway terminate the SSL - make a call from api gateway to your alb , elb or nlb (is the best , if it fits your architecture) - have alb protected by the WAF with two ruleset 1. white list all the api gateways ip 2. have the http header accepted by api gateway only

this way you are securing your infra to its best.

if you have nlb, then you can have the private link to NLB straight, keep in mind NLB doesnt support path based routing, and cross zone application failover

I have asked AWS to raise a feature request for the same

raaone7
  • 529
  • 1
  • 7
  • 16