I have an AWS REST API Gateway configured with mTLS and a custom domain. This works like a charm. Now, I want to use the AWS Route53 HealthChecks that are hitting the /health
endpoint of my gateway. I don’t know how to make healthchecks aware of the fact that the gateway is behind mTLS and my configured healthchecks always fail.
I tried enabling the default endpoint from my gateway just to expose that /health
endpoint but I can’t pick that solution even though it works. Exposing the default endpoint is basically opening my entire API for unauthed traffic.
I also tried to make a non-mTLS /health
endpoint in my gateway but it seems like mTLS is a per gateway(per custom domain) setting and it can not be disabled just for one endpoint.
Any thoughts how can I solve my issue? Thanks in advance.
2
Answers
@Mark B, so I managed to go with script+mTLS way here but I decided to do it a little bit differently. Let me give you a broader context here so we are on the same page. My primary region is us-west-2, secondary is us-east-2. In the primary region I have an EKS cluster. I realized I can create e.g. a CronJob that has the tls certs embedded via secrets and all it does is a simple call made every 5 min to hit my primary and secondary API Gateways on their
/health
endpoints. If the response from/health
is non-2xx, I then put a 0 value in a specific CloudWatch metric. If the response is 2xx, I put 1 in the metric. Next I'm having a ClodudWatch alarm that observes that metric and based on that metric stream values it triggers an alarm. This alarm is next hooked up to the R53 healthcheck.I coded the entire solution only to later realize that I hit the chicken-egg problem:
Is it really a non-solvable problem? I believe, using CloudWatch Synthetics would end up with the same issue.
It doesn’t look possible to use mTLS with Route53 Health Checks. You could instead use Amazon CloudWatch Synthetics to perform your health checks, which is more flexible because it allows you to specify your own script to perform the health check. The runtime environment for CloudWatch Synthetics is a bit limited, but you can embed your mTLS certificate as a PEM format string in your health check script.
Otherwise, you might consider performing health checks against the underlying service(s) that your API Gateway sends traffic to, instead of performing health checks against API Gateway itself.