skip to Main Content

I want to restrict the access to my application server by specifying the whitelisted IPs. This is possible by adding them in the security group inbound rules. But my application also uses the API gateway to proxy some of the apis and redirects to the server. Considering the usecase, is it possible for me to whitelist the API gateway?

  • I’m using application load balancer (no provision to use the NLB or other)

Is there any work around?

2

Answers


  1. Chosen as BEST ANSWER

    The only way to restrict access to loadbalancer from gateway is whitelisting the ip ranges of amazon for Gateway services.

    Ex: For us east-1

    enter image description here


  2. If you want to block API Call your API Gateway you can use a Ressource Policy on API gateway to block / allow IP.

    {
      "Version": "2012-10-17",
      "Statement": [{
          "Effect": "Allow",
          "Principal": "*",
          "Action": "execute-api:Invoke",
          "Resource": "execute-api:/*/*/*"
        },
        {
          "Effect": "Deny",
          "Principal": "*",
          "Action": "execute-api:Invoke",
          "Resource": "execute-api:/*/*/*",
          "Condition": {
            "NotIpAddress": {
              "aws:SourceIp": ["sourceIpOrCIDRBlock", "sourceIpOrCIDRBlock"]
            }
          }
        }
      ]
    }
    

    Yan can also use a AWS WAF in front of your ALB and API Gateway to block or allow IPs

    Reference: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search