My Rails backend (api.mydomain.com) is hosted in EBS. The EC2 hosts have a VPC security group. The VPC security group's inbound rules only allow the corresponding load balancer security group on HTTP. The load balancer security group allows 0.0.0.0/0 on both HTTP and HTTPS. I would like to restrict API calls that hit my Rails backend to only come from my Angular app hosted in S3 (mydomain.com). Is this possible?
I want to prevent other servers from hitting my APIs.
It's not related to your AWS security things; you should set CORS settings for your backend API and set your API only accept the request from your domain.
Understanding CORS
The same-origin policy is an important security concept implemented by web browsers to prevent Javascript code from making requests against a different origin (e.g., different domain) than the one from which it was served. Although the same-origin policy is effective in preventing resources from different origins, it also prevents legitimate interactions between a server and clients of a known and trusted origin.
Cross-Origin Resource Sharing (CORS) is a technique for relaxing the same-origin policy, allowing Javascript on a web page to consume a REST API served from a different origin.
For more information read the following documents:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://www.html5rocks.com/en/tutorials/cors/
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
and these docs about CORS and Rails
https://demisx.github.io/rails-api/2014/02/18/configure-accept-headers-cors.html
https://til.hashrocket.com/posts/4d7f12b213-rails-5-api-and-cors
