3

We have an AWS lambda function and is mapped to API gateway.

I want to enable Geo restriction on our API which is a feature in cloud front. Want it so that my lambda doesn't get hit from countries where we are not providing my services.

I believe API Gateway uses Cloud front by default but I am not able to see any related cloud front Distribution.

Was wondering what is the way to enable Geo Restriction while using API Gateway and AWS Lambda.

Anant Bhandarkar
  • 367
  • 2
  • 11

2 Answers2

3

While it seems API Gateway is using CloudFront. It is not possible to configure Geo restrictions on API Gateway itself (At least as of now). You can create a distribution with CloudFront and point the origin to API Gateway and have your Geo restriction enabled.

Additionally, you can also enable x-API-key to protect your endpoint from API-Gateway from CloudFront.

One more way of controlling from code is through analyzing CloudFront-Viewer-Country header.

Kannaiyan
  • 12,554
  • 3
  • 44
  • 83
  • 2
    To clarify the last remark, the `CloudFront-Viewer-Country` header is automatically injected into all API Gateway requests, and you can access it in the Method Request and map it in the Integration Request, or it will be visible automatically if you use a proxy integration. – Michael - sqlbot Sep 06 '17 at 03:01
  • 1
    You need to whitelist CloudFront-Viewer-Country in CloudFront and value is automatically injected by AWS itself for Lamba or other application consumption. – Kannaiyan Sep 06 '17 at 03:55
  • No, I'm referring to *standard* API Gateway behavior with no externally-configured CloudFront distribution (just the implicit one that API Gateway owns and controls). That header is there automatically, in every API Gateway request, no configuration required. – Michael - sqlbot Sep 06 '17 at 04:01
  • Glad to know. I would really like to see that as a separate distribution with CloudFront. AWS making a mess integrating both and providing the same feature in a different form. – Kannaiyan Sep 06 '17 at 04:08
  • Well, I assume they saw how much of the stack was already available in the CloudFront infrastructure, and decided to leverage some of it when creating API Gateway... but presumably what's present in front of API Gateway is not a CloudFront distribution exactly like those available directly to customers -- but fortunately, they did turn on those custom headers. – Michael - sqlbot Sep 06 '17 at 04:26
0

You can also use AWS WAF Geographic match rule

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

Lucas Vieira
  • 31
  • 4
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 30 '22 at 03:13