I'm new to Lambda... Assuming I have an API Gateway that invokes my Lambda function (node.js) upon some HTTPS POST request from the web, how do I perform SSL peer authentication of the original HTTP client?
For example, let's say some server on the internet performs an HTTP POST to my API Gateway, which in turn invokes my Lambda. I want my Lambda to allow requests only from a client whose SSL certificate is associated to a specific domain..
thanks!
Lambda does not deal with SSL certificates. API Gateway does.
Also, API Gateway does not provide you with HTTP endpoints, only HTTPS.
From the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
To set up your specific domain, see the following link:
Set up Custom Domain Name for API Host Name
The Lambda authorizer is passed in Cert data from the request.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html
Related
When developing backend microservices that sit behind an API Gateway how do you develop locally, ensuring that client requests to a single endpoint (the API gateway) and request path are routed to the right local service?
The Microsoft eShopOnContainers architecture example uses Envoy as a local API Gateway (it used to be Ocelot) but how would you then deploy a stack like this to the cloud, keeping your local and cloud API Gateways in sync with the right request routing, resource descriptions, etc? Do you essentially need to manage two API gateway configurations?
I'm aware of SAM and sam local start-api but I'm referring to other backend services that aren't serverless, e.g. using VpcLink.
There is requirement we need to create a new AWS API Gateway but our Domain resits in the Digitalocean, So can we point the API gateway endpoint to the digitalocean domain. So the traffic should come to the domain and then API gateway.
Yes you can do that, you have to
Request certificate
Approve certificate (To prove your ownership of domain)
Create custom domain for API Gateway
Add base-path mapping (Attach to respective API endpoint)
Please follow below detailed link
https://medium.com/#maciejtreder/custom-domain-in-aws-api-gateway-a2b7feaf9c74
I thought I had an understanding of AWS security groups, but this doesn't make any sense.
I have a Lambda Function that is inside of my VPC.
It is assigned a security group (TestLambdaSG).
TestLambdaSG has inbound HTTP/HTTPS rules from IP 1.2.3.4/32
I can connect to my Lambda Function from my IP. Why?
AWS says that security groups are restrictive by default, so I shouldn't be able to connect. My Lambda function is an API that I created a test route that returns a "Success" message.
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-security-groups.html
The security group assigned to lambda only used to validate outgoing traffic , it is impossible to access the lambda directly through the socket connection. Therefore I dont think lambda security group's inbound rules are any useful.
But other services such as API gateway can invoke a lambda. An API gateway is publicly available by default when it is deployed.
That's why it's accessible from postman for you.
I've set up an Amazon API Gateway instance with a mock back-end and have it working perfectly.
I've also set up a RESTful API and deployed to AMAZON EC2. I can access it publically with Postman.
What I would like to do now is proxy all calls through the API gateway. Then block public access to the EC2 instance.
The problem is that I'm really struggling to find clear documentation on how this is done - which makes me think I might be doing things incorrectly, architecturally speaking.
My EC2 instance gives me a public DNS address, and a private one. I've tried setting the API gateway to point to the private address over HTTP, but the URL doesn't validate in the AWS Gateway - and wont save.
If someone could explain to me in plain English how this is supposed to work at a high level, and perhaps point to documentation, that would be absolute gold.
This is what API Gateway calls a private integration.
API Gateway is not, itself, inside your VPC, so the solution uses a Network Load Balancer and VPC PrivateLink to allow API Gateway to access your private resources.
Documentation and setup can be found here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html
Don't confuse private integrations with private endpoints which allow the opposite -- with private endpoints, resources in your VPC are able to access an API deployed in API Gateway, without exposing the API Gateway endpoint itself to the Internet.
I have created public API using AWS api gateway with the resource cars and a GET method. I also have backend API,/api/routing, that is hosted on EC2 windows instance. The backend API only accepts POST request and used for routing the request based on some header values.
In integration request i also have Mapping Template setup so it can POST data to api/routing
So the integration request for cars public API looks like below
The Inbound rules for EC2 instance
Issue
The Endpoint URL is using private ip of EC2 instance. When i Test cars api i get error
Execution failed due to configuration error: Invalid endpoint address
If i change the Endpoint Url to use public ip address then its working as expected
Eventually, i would like to access backend API using private-ip. The EC2 instance is a free instance that AWS created.
I understand that if i have VPC then in API Gateway i need to setup VPC Links, but I have not created any VPC.(unless aws by default creates one).
found it. After creating VPC link I was still selecting Integration Type as HTTP..it should be VPC Link