If you haven’t been pay­ing close atten­tion you might have missed the API Gate­way announce­ment for . It lat­er played a key role in supporting API Gate­way — a way to put your API inside a pri­vate VPC. resource poli­cies pri­vate end­points To con­fig­ure resource poli­cies with the Server­less frame­work, you need to upgrade to v1.28.0 or lat­er. If you want to restrict access to the end­point to the IP 217.128.123.174, you need the fol­low­ing. GET /index.html provider:name: awsruntime: nodejs8.10 :- Effect: AllowPrincipal: "*"Action: execute-api:InvokeResource:- execute-api:/*/GET/index.html : : :- 217.128.123.174 resourcePolicy Condition IpAddress aws:SourceIp Nice and easy! There are a cou­ple of things to note: You can imple­ment IP black­list­ing by chang­ing to . Effect Deny If you change the resource pol­i­cy in the API Gate­way con­sole, it won’t take effect until you deploy the API. No such wor­ries with the server­less framework, as would deploy the API for you as part of the Cloud­For­ma­tion update. sls deploy You can mix IP and IAM con­di­tions for dif­fer­ent end­points in the same API. But, IP and IAM con­di­tions don’t work for a API, which is not pub­licly acces­si­ble and is required for VPC pri­vate end­points. private When you access the API from EC2 or ECS, you need to whitelist the pub­lic IP of the instance, or the NAT Gate­way if the instance is not asso­ci­at­ed with a pub­lic IP. After you set up IP whitelist­ing on the end­point, you will get an error like this if you attempt to access it from an IP that has not been whitelist­ed. {"Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********3770:io75qg1rvf/test/GET/index.html"} Like what you’re reading but want more help? I’m happy to offer my services as an and help you with your serverless project — architecture reviews, code reviews, building proof-of-concepts, or offer advice on leading practices and tools. independent consultant I’m based in and currently the only UK-based . I have nearly of with running production workloads in AWS at scale. I operate predominantly in the UK but I’m open to travelling for engagements that are longer than a week. To see how we might be able to work together, tell me more about the problems you are trying to solve . London, UK AWS Serverless Hero 10 years experience here I can also run an to help you get with your serverless architecture. You can find out more about the two-day workshop , which takes you from the basics of AWS Lambda all the way through to common operational patterns for log aggregation, distribution tracing and security best practices. in-house workshops production-ready here If you prefer to study at your own pace, then you can also find all the same content of the workshop as a I have produced for Manning. We will cover topics including: video course authentication authorization with API Gateway Cognito & & testing running functions locally & CI/CD log aggregation monitoring best practices distributed tracing with X-Ray tracking correlation IDs performance cost optimization & error handling config management canary deployment VPC security leading practices for Lambda, Kinesis, and API Gateway You can also get the face price with the code . Hur­ry though, this dis­count is only avail­able while we’re in Manning’s Ear­ly Access Pro­gram (MEAP). 40% off ytcui

Amazon

Step Functions: apply try-catch to a block of states

How to create IP-protected endpoints with API Gateway and Lambda

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

6 Tips To Scale an AppSync Project To 200+ Resolvers That Will Blow Your Mind

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 1)

6 Tips To Scale an AppSync Project To 200+ Resolvers That Will Blow Your Mind

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 1)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps