How to create IP-protected endpoints with API Gateway and Lambda

If you haven’t been pay­ing close atten­tion you might have missed the API Gate­way announce­ment for resource poli­cies. It lat­er played a key role in supporting API Gate­way pri­vate end­points — a way to put your API inside a pri­vate VPC.

To con­fig­ure resource poli­cies with the Server­less frame­work, you need to upgrade to v1.28.0 or lat­er. If you want to restrict access to the GET /index.html end­point to the IP 217.128.123.174, you need the fol­low­ing.

provider:name: awsruntime: nodejs8.10resourcePolicy:- Effect: AllowPrincipal: "*"Action: execute-api:InvokeResource:- execute-api:/*/GET/index.htmlCondition:IpAddress:aws:SourceIp:- 217.128.123.174

Nice and easy!

There are a cou­ple of things to note:

• You can imple­ment IP black­list­ing by chang­ing Effect to Deny.
• If you change the resource pol­i­cy in the API Gate­way con­sole, it won’t take effect until you deploy the API. No such wor­ries with the server­less framework, as sls deploy would deploy the API for you as part of the Cloud­For­ma­tion update.
• You can mix IP and IAM con­di­tions for dif­fer­ent end­points in the same API. But, IP and IAM con­di­tions don’t work for a private API, which is not pub­licly acces­si­ble and is required for VPC pri­vate end­points.
• When you access the API from EC2 or ECS, you need to whitelist the pub­lic IP of the instance, or the NAT Gate­way if the instance is not asso­ci­at­ed with a pub­lic IP.

After you set up IP whitelist­ing on the end­point, you will get an error like this if you attempt to access it from an IP that has not been whitelist­ed.

{"Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********3770:io75qg1rvf/test/GET/index.html"}

Like what you’re reading but want more help? I’m happy to offer my services as an independent consultant and help you with your serverless project — architecture reviews, code reviews, building proof-of-concepts, or offer advice on leading practices and tools.

I’m based in London, UK and currently the only UK-based AWS Serverless Hero. I have nearly 10 years of experience with running production workloads in AWS at scale. I operate predominantly in the UK but I’m open to travelling for engagements that are longer than a week. To see how we might be able to work together, tell me more about the problems you are trying to solve here.

I can also run an in-house workshops to help you get production-ready with your serverless architecture. You can find out more about the two-day workshop here, which takes you from the basics of AWS Lambda all the way through to common operational patterns for log aggregation, distribution tracing and security best practices.

If you prefer to study at your own pace, then you can also find all the same content of the workshop as a video course I have produced for Manning. We will cover topics including:

• authentication & authorization with API Gateway & Cognito
• testing & running functions locally
• CI/CD
• log aggregation
• monitoring best practices
• distributed tracing with X-Ray
• tracking correlation IDs
• performance & cost optimization
• error handling
• config management
• canary deployment
• VPC
• security
• leading practices for Lambda, Kinesis, and API Gateway

You can also get 40% off the face price with the code ytcui. Hur­ry though, this dis­count is only avail­able while we’re in Manning’s Ear­ly Access Pro­gram (MEAP).