I have Elastic Beanstalk (EB) with Elastic Load Balancers (ELB) in public subnet and EC2 instances in private subnet. API Gateway sends requests to ELB via HTTP.
I've set the Client-Side Cert. on EB that only requests from API Gateway are acceptable, so access to my EB is restricted.
Do I need set also typical HTTPS between API Gateway and EB? Or the configuration with HTTP is save enough when access to EB is restricted only to API Gateway?
While HTTPS is not strictly necessary, it is definitely preferred.
There is currently no way to restrict access to your EB such that only API Gateway can access it. We are working on VPC support which would obviate the need for making your EB publicly accessible (and with HTTPS), but I can't comment as to when this would be available.
In the meantime, our current suggested best practice is HTTPS with your backend configured to accept client certificates.
