AWS API Gateway with static IP

9
votes

When you create an API using Gateway and map a custom domain, AWS API Gateway makes an entry in cloudfront distribution

source: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

For every API you create, API Gateway sets up an Amazon CloudFront distribution for the API. Requests with the default API URL are routed through the corresponding CloudFront distribution. Similarly, for every custom domain name, API Gateway sets up a CloudFront distribution. An API request with the custom domain name is routed through the custom domain name's CloudFront distribution.

However the cloudfront IPs can change when AWS updates the ip ranges.

As a user of the API, how do I bind a static IP to the custom domain mapped to Gateway so that I need not update firewall egress settings whenever AWS updates the IP ranges?

3
amazon-web-servicesamazon-cloudfrontaws-api-gateway
has somebody tried aws.amazon.com/blogs/architecture/…vmrvictor

3 Answers

9
votes

It is not possible to attach a static IP to API Gateway. However, AWS Publishes the IP ranges used by CloudFront which can be used to whitelist the firewall egress settings.

Since these IP ranges also can change, it is recommended to automate the checking for changes using this URL and update the rules accordingly.

3
votes

Welcome to multi cloud ;-)

I was researching on this topic and found that there are solutions from other cloud providers.

  1. Google GCP : https://cloud.google.com/cdn/

    So google CDN do provide one anycast IP by default.

  2. Microsoft Azure API management https://azure.microsoft.com/en-us/services/api-management/ Do provide static IP.

In my opinion for AWS they solved the static IP problem with global accelerator or NLB but the problem is that both of these products are not layers 7 API management solutions.

So basically at this point , you can solve layer 4 but for layer 7 you need to use api gateway or cloud front and both don't have any direct integration with global accelerator or NLB.

In google solution atleast their CDN give only one anycast IP, which is not yet there in AWS cloudfront ( although matter of time )

I liked Microsoft API management for this particular case , where u get static ip + API management in one solution.

1
votes

The only solution I have found is to have something with a static ip between the client and the api gateway such as a virtual machine whose only goal is to reroute all the calls to the api gateway.

It would literally be like 50 lines of code of bouncing requests and responses, but it adds complexity and budget requirements.