If you haven’t been paying close attention you might have missed the API Gateway announcement for . It later played a key role in supporting API Gateway — a way to put your API inside a private VPC. resource policies private endpoints To configure resource policies with the Serverless framework, you need to upgrade to v1.28.0 or later. If you want to restrict access to the endpoint to the IP 217.128.123.174, you need the following. GET /index.html provider:name: awsruntime: nodejs8.10 :- Effect: AllowPrincipal: "*"Action: execute-api:InvokeResource:- execute-api:/*/GET/index.html : : :- 217.128.123.174 resourcePolicy Condition IpAddress aws:SourceIp Nice and easy! There are a couple of things to note: You can implement IP blacklisting by changing to . Effect Deny If you change the resource policy in the API Gateway console, it won’t take effect until you deploy the API. No such worries with the serverless framework, as would deploy the API for you as part of the CloudFormation update. sls deploy You can mix IP and IAM conditions for different endpoints in the same API. But, IP and IAM conditions don’t work for a API, which is not publicly accessible and is required for VPC private endpoints. private When you access the API from EC2 or ECS, you need to whitelist the public IP of the instance, or the NAT Gateway if the instance is not associated with a public IP. After you set up IP whitelisting on the endpoint, you will get an error like this if you attempt to access it from an IP that has not been whitelisted. {"Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********3770:io75qg1rvf/test/GET/index.html"} Like what you’re reading but want more help? I’m happy to offer my services as an and help you with your serverless project — architecture reviews, code reviews, building proof-of-concepts, or offer advice on leading practices and tools. independent consultant I’m based in and currently the only UK-based . I have nearly of with running production workloads in AWS at scale. I operate predominantly in the UK but I’m open to travelling for engagements that are longer than a week. To see how we might be able to work together, tell me more about the problems you are trying to solve . London, UK AWS Serverless Hero 10 years experience here I can also run an to help you get with your serverless architecture. You can find out more about the two-day workshop , which takes you from the basics of AWS Lambda all the way through to common operational patterns for log aggregation, distribution tracing and security best practices. in-house workshops production-ready here If you prefer to study at your own pace, then you can also find all the same content of the workshop as a I have produced for Manning. We will cover topics including: video course authentication authorization with API Gateway Cognito & & testing running functions locally & CI/CD log aggregation monitoring best practices distributed tracing with X-Ray tracking correlation IDs performance cost optimization & error handling config management canary deployment VPC security leading practices for Lambda, Kinesis, and API Gateway You can also get the face price with the code . Hurry though, this discount is only available while we’re in Manning’s Early Access Program (MEAP). 40% off ytcui
Share Your Thoughts