Restrict access to Elastic Beanstalk from API Gateway (Client Side Cert.)

1
votes

How to restrict access to Elastic Beanstalk that it can process requests only from API Gateway?

From API Gateway's point of view it is quite simple:

  1. Generate simple Client Certificate (via API Gateway dashboard),
  2. Backend validates Certificate on every request.

(A) But how should I validate this Client-Side Cert. on my Elastic Beanstalk (EB) in multidocker configuration with NGINX?

I've read that Elastic Load Balancer (ELB) (the component of EB) cannot validate it. I have to validate it using NGINX running as Docker container on EC2 behind ELB.

(B) What should I set up on Elastic Load Balancers of EB (ports configuration: HTTP(S) / TCP)? Have I buy a verified SSL certificate that my Elastic Beanstalk could to use 443 port?

(C) What should I set up on my EC2 instance? (Besides NGINX - I believe that I know how to setup nginx.conf)

(D) Are there some downsides of using TCP instead of HTTP in ELB?

I've read some articles and other SO posts about this problem, but currently I feel confused about this topic. Any clarification will be very helpful!

1
amazon-web-servicessslnginxamazon-elastic-beanstalkaws-api-gateway

1 Answers

1
votes

You are correct in that you will need to validate the certificate on your server hosts. The specific configuration will vary depending on your setup, but should be pretty straightforward - I suggest you consult NGINX documentation for that.

In order to validate the certificate on your hosts, you will need to configure your ELB to use TCP load balancing. Pleases see the ELB docs on the differences between HTTP and TCP load balancing.