2

I know I can put a REGIONAL endpoint type API Gateway behind a Cloudfront distribution, but is it possible to put a PRIVATE endpoint type API Gateway?

This way only calls from the Internet to Cloudfront would hit the API Gateway? I assume this can not be done because Cloudfront is public.

Squirrel
  • 1,283
  • 1
  • 13
  • 22

2 Answers2

2

The purpose of private APIs is to allow access from a specific internal network (e.g., a VPC subnet, on-premise network).

So if you need to configure a CloudFront , then the requests from CloudFront should be routed to a public endpoint of the network (e.g., internet facing NLB) and then the NLB can point to the static IPs of the VPC endpoint which is associated with the resource policy of the private API.

I do not think above solution is suitable for production environments due to certain security issues and integration points can be broken if someone updated the VPC endpoint configuration. So I would say it's better not to configure a CloudFront in front a private API.

Could you explain a bit more on why you need to introduce a CloudFront distribution in front of a private API? I may be able to provide an alternative. For example you may consider introducing a WAF rule (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html) if you need to restrict access to an API from a specific domain (eg- a CloudFront distribution).

Denis Weerasiri
  • 1,120
  • 1
  • 8
  • 16
  • I wanted to keep API Gateway *protected* behind Cloudfront. Similar to how you can protect an S3 origin by enabling `OAI` in Cloudfront. Currently, when I deploy an API Gateway, it will generate a link `https://.execute-api..amazonaws.com/` that is visible from the Internet. I would have liked to avoid exposing access to the API Gateway directly (from the Internet). My setup is: `Internet -> Cloudfront -> API Gateway -> VPC Link (internal NLB) -> EC2` in a private subnet. I am not sure if this is the best way. First time dealing with API GW. – Squirrel Feb 13 '19 at 15:26
  • I would consider WAF at a later time. This is why I didn't want to use API Gateway edge optimized. – Squirrel Feb 13 '19 at 15:29
  • @Squirrel, if you create a private API, then you don't to worry about the security attacks from the public internet. Because private API endpoints are only allowed to be accessible by a specific VPC ID/endpoint. – Denis Weerasiri Feb 23 '19 at 02:57
1

Configure CloudFront distribution to include a custom header carrying a shared secret whenever it forwards a request to your custom origin. You need to specify the header name and its value. For example, when using Amazon API Gateway as origin, you can configure x-api-key header with your API key value as custom header.

https://aws.amazon.com/blogs/networking-and-content-delivery/serving-private-content-using-amazon-cloudfront-aws-lambdaedge/

I am not really sure what you mean by

This way only calls from the Internet to Cloudfront would hit the API Gateway

Sushant Sonker
  • 132
  • 1
  • 5
  • 1
    I meant that I do not want anyone on the Internet to hit the API Gateway directly. All API calls should go through Cloudfront. – Squirrel Feb 13 '19 at 15:28
  • The Lambda@Edge solution mentioned in the link pasted above should be able to restrict your internet traffic to cloudfront. Give it a try. – Sushant Sonker Feb 13 '19 at 15:58
  • @Squirrel, based on *All API calls should go through CloudFront*, check out [this question](https://stackoverflow.com/q/43412908/7229391) that directly asks/addresses that question. I recommend using the SigV4 signer option I put as an answer because it enables you to use traditional IAM policies to control access to your API Gateway and, when paired with a Lamdba@Edge function, you are able to force access through your CloudFront distribution. – Reed Hermes Mar 06 '19 at 05:06