I have created public API using AWS api gateway with the resource cars and a GET method. I also have backend API,/api/routing, that is hosted on EC2 windows instance. The backend API only accepts POST request and used for routing the request based on some header values.
In integration request i also have Mapping Template setup so it can POST data to api/routing
So the integration request for cars public API looks like below
The Inbound rules for EC2 instance
Issue
The Endpoint URL is using private ip of EC2 instance. When i Test cars api i get error
Execution failed due to configuration error: Invalid endpoint address
If i change the Endpoint Url to use public ip address then its working as expected
Eventually, i would like to access backend API using private-ip. The EC2 instance is a free instance that AWS created.
I understand that if i have VPC then in API Gateway i need to setup VPC Links, but I have not created any VPC.(unless aws by default creates one).
found it. After creating VPC link I was still selecting Integration Type as HTTP..it should be VPC Link
Related
Since April 2020, AWS supports VPC endpoints for SES (Simple Email Service.) Despite this, I cannot get a Lambda to communicate with SES using the endpoint. It always times out. Perhaps this is because the SES VPC Endpoints are only supported for EC2 instances in the VPC and not for Lambdas?
I have my infrastructure describe using Terraform, as described in this gist. ses_lambda.tf defines the infrastructure and basically implements this guide. sesTest.js is my Lambda function. terraform-show.out shows the result of terraform show limited just to the resources defined by ses_lambda.tf.
As you can see in ses_lambda.tf, the SES Endpoint's security group allows all traffic on any SMTP port (25, 465, 587, 2465, or 2587) from any IP in the VPC's CIDR block. So I'm confused about why this doesn't work...
It looks like SES VPC endpoints are SMTP endpoints not SES API endpoints. The guide is not explicit about it but it does mention SMTP ports and endpoints.
I created an endpoint and the private DNS name it produced was email-smtp.us-east-1.amazonaws.com (SMTP). SDK tries to connect to email.us-east-1.amazonaws.com (SES API).
It appears that the solution is to either use SMTP or setup NAT Gateway.
Update: Confirming that SMTP works over SES VPC endpoint in Lambda (as exptected).
I was having difficulties with the same setup. The reality is that nzhuk98's answer is the solution but for someone who didn't have experience with this - it did not make sense to me too.
You cannot use AWS SDK's SES methods, even if you adjust the endpoint setting to the Private DNS that was given to you after the VPC endpoint was created.
AWS SDK's SES method uses https only, and the VPC endpoint exposes only the SMTP port of the SES Service. Therefore, you need to opt-out from using AWS SDK completely and switch to something like Nodemailer.
This is what I did https://nodemailer.com/smtp/#1-single-connection
I hope this is useful for the next person that is looking for this.
When I hear AWS timeout issues, the first thing I check is always IAM. Does the Lambda function have an IAM Policy and Execution Role that grants the appropriate permissions to access SES within your account?
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-send-email-ses/
There is requirement we need to create a new AWS API Gateway but our Domain resits in the Digitalocean, So can we point the API gateway endpoint to the digitalocean domain. So the traffic should come to the domain and then API gateway.
Yes you can do that, you have to
Request certificate
Approve certificate (To prove your ownership of domain)
Create custom domain for API Gateway
Add base-path mapping (Attach to respective API endpoint)
Please follow below detailed link
https://medium.com/#maciejtreder/custom-domain-in-aws-api-gateway-a2b7feaf9c74
I thought I had an understanding of AWS security groups, but this doesn't make any sense.
I have a Lambda Function that is inside of my VPC.
It is assigned a security group (TestLambdaSG).
TestLambdaSG has inbound HTTP/HTTPS rules from IP 1.2.3.4/32
I can connect to my Lambda Function from my IP. Why?
AWS says that security groups are restrictive by default, so I shouldn't be able to connect. My Lambda function is an API that I created a test route that returns a "Success" message.
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html
The security group assigned to lambda only used to validate outgoing traffic , it is impossible to access the lambda directly through the socket connection. Therefore I dont think lambda security group's inbound rules are any useful.
But other services such as API gateway can invoke a lambda. An API gateway is publicly available by default when it is deployed.
That's why it's accessible from postman for you.
I've set up an Amazon API Gateway instance with a mock back-end and have it working perfectly.
I've also set up a RESTful API and deployed to AMAZON EC2. I can access it publically with Postman.
What I would like to do now is proxy all calls through the API gateway. Then block public access to the EC2 instance.
The problem is that I'm really struggling to find clear documentation on how this is done - which makes me think I might be doing things incorrectly, architecturally speaking.
My EC2 instance gives me a public DNS address, and a private one. I've tried setting the API gateway to point to the private address over HTTP, but the URL doesn't validate in the AWS Gateway - and wont save.
If someone could explain to me in plain English how this is supposed to work at a high level, and perhaps point to documentation, that would be absolute gold.
This is what API Gateway calls a private integration.
API Gateway is not, itself, inside your VPC, so the solution uses a Network Load Balancer and VPC PrivateLink to allow API Gateway to access your private resources.
Documentation and setup can be found here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html
Don't confuse private integrations with private endpoints which allow the opposite -- with private endpoints, resources in your VPC are able to access an API deployed in API Gateway, without exposing the API Gateway endpoint itself to the Internet.
I'm new to Lambda... Assuming I have an API Gateway that invokes my Lambda function (node.js) upon some HTTPS POST request from the web, how do I perform SSL peer authentication of the original HTTP client?
For example, let's say some server on the internet performs an HTTP POST to my API Gateway, which in turn invokes my Lambda. I want my Lambda to allow requests only from a client whose SSL certificate is associated to a specific domain..
thanks!
Lambda does not deal with SSL certificates. API Gateway does.
Also, API Gateway does not provide you with HTTP endpoints, only HTTPS.
From the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
To set up your specific domain, see the following link:
Set up Custom Domain Name for API Host Name
The Lambda authorizer is passed in Cert data from the request.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html