AWS API gateway and Load balancer secure communication

1
votes

We are using AWS API gateway and a load balancer in front of our EC2 cluster. Gateway needed load balancer to be public hosted and thats why we put load balancer in public subnet of VPC and all of our EC2 instances in private VPC.

The problem we are facing that as our load balancer is in public VPC, how we can invalidate our requests not coming from our API gateway. We just want to pass through the requests from load balancer to EC2 instances if and only if it is coming through our API gateway.

When I explored the possible resolution someone suggested that use public client certificate from gateway to validate your requests. I was able to get this public certificate from gateway but did not find any way to configure it in load balancer.

3
amazon-web-servicessslaws-api-gatewayelastic-load-balancer

3 Answers

1
votes

The proper solution nowadays is to use a VPC link with a Network Load Balancer from AWS. You setup a Network Load Balancer in front of your VPC resource (e.g. an EC2 instance) and you create an API Gateway VPC Link. In the API Gateway integration you choose VPC Link and you are able to access the Network Load Balancer and in extension your private EC2 instance.

0
votes

You cannot verify the client certificate at Load Balancer level. You need to validate it at container level.

There is another approach you can follow by keeping the Load Balancer private and using a Lambda function(which is placed inside VPC) to proxy to the Load Balancer, where you can validate the client certificate.

0
votes

On further analysis, I came across with following concerns with AWS API gateway approach.

  1. VPC has huge impact on lambda container initialisation time when the lambda container is not reused or it is cold. As per others experience it might take 10 to 15 seconds and it might delay response time. Even if it is a hot lambda, a time delay cost is associated when you access VPC from it.
  2. Lambda need sufficient number of ENI and private IPs range to support parallel execution. It means if at runtime , load increases and if there would not any ENI free, the request will be failed. We are not sure if we can dynamically increase the ENI at runtime based on requests load.
  3. If there will be any error or timeout due to unavailability of ENI, AWS does not create any log for it and you may be clueless about source of error.