2

I am working with AWS-API-Gateway and an Elastic Beanstalk environment. What I want to make sure in the Elastic Beanstalk environment is that the request is served only for AWS-API-Gateway.

So Amazon suggested for client-side SSL certificate authentication. The problem I'm facing in this is that even if I configure Amazon API gateway to provide a certificate on a https connection, it will give the certificate to the load-balancer and load-balancer will give its certificate to my ec-2 instance.

So in this scenario, I never receive the SSL certificate of API gateway. Please help me here or provide me with a better solution.

I don't want to remove my load-balancer in the scenario as it is helpful for me.

Mailerdaimon
  • 6,003
  • 3
  • 35
  • 46
shashank kapoor
  • 21
  • 1
  • 2

1 Answers1

1

As far as I know, the key with using ELB is to turn the ELB to TCP mode (not HTTP) so the SSL handshake is actually done on the EC2 instances. That way you can verify on the hosts and treat the ELB as just a simple TCP load balancer.

Some helpful info here Support for two-way TLS/HTTPS with ELB

Community
  • 1
  • 1
jackko
  • 6,998
  • 26
  • 38
  • After thinking to myself, in response to the question, "no, this won't work," here's a summary of my *exact* thought process as I read your answer... "Ah, of course... good idea, Jack. +1. It's only obvious now that you mention it, but I'm not sure whether I would have thought to consider this option." Then I clicked the link. Oh. Ah. Well. Yes, I guess I did consider this option at some point. lol. :) – Michael - sqlbot Dec 07 '16 at 22:22
  • @Michael-sqlbot can you suggest me some another way? What I am thinking now is that if this cannot be done, I should restrict the usage of my EB servers and only inside my VPC the servers will be accessible, but API-Gateway URLs are public. Will that be a good methodology? – shashank kapoor Dec 09 '16 at 06:46
  • I don't believe API Gateway can directly proxy to a back-end service inside VPC that isn't publicly exposed, as an HTTP service proxy. Conversely, Lambda functions *invoked* by API Gateway *can* do this, because Lambda functions can be deployed with a configuration that assigns them network interfaces on private subnets inside the VPC. The apparent discrepancy between behaviors is not an actual discrepancy -- API-Gateway and Lambda appear to operate at arm's length in such a configuration, with API-GW invoking the Lambda function on the requester's behalf using the Lambda API. – Michael - sqlbot Dec 09 '16 at 10:36
  • We would like to add VPC support eventually for APIGW (so you don't have to take Lambda dependency just for that) but we don't have an ETA. – jackko Dec 09 '16 at 17:46