6

Can we use Two Way SSL feature using AWS API Gateway ? We want to use API Gateway as proxy for kinesis in our real-time streaming application.

Below is my requirement

The client make request to apigateway and apigateway needs to put the data in kinesis streams.

The only way to authenticate the clients is using two way SSL. our clients doesnt support other options.

Currently on-premise F5 loadbalancer does this work for us and we have tomcats running behind F5 placing data into kinesis.

Will i be able to achieve the same using API Gateway ? looks like even aws ELB seems to be not supporting this option.

I have taken a look at below link but this to authenticate API Gateway at server not apigateway authenticating the client.

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

Regards Kalyan

kalyan chakravarthy
  • 643
  • 10
  • 29
  • It seems that AWS does now support it per this September 2020 update on the Amazon blog https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ – mud Sep 16 '21 at 16:08

1 Answers1

6

API Gateway can authenticate itself to your back-end with TLS, as you have found, but it does not work in the opposite direction -- it does not support authenticating clients with TLS.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Michael thanks for answer. Can ELB do that ? Am ok to have a tomcat or ecs container application running as proxy to Kinesis. Can ELB offload this SSL client authentication work for me ? – kalyan chakravarthy Jun 02 '18 at 06:43
  • ELB/ALB can't do TLS mutual auth. You will have to supply a component, like HAProxy or Nginx, which you can deploy behind a Network Load Balancer (recommended) or ELB Classic in TCP mode (the old way). – Michael - sqlbot Jun 02 '18 at 14:34
  • This is a shame. We'd like to use two-way SSL authentication to ensure calls from our Salesforce instance are indeed coming from our Salesforce instance: https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_client_certs.htm – Force Hero Feb 22 '19 at 16:02
  • 1
    @Michael-sqlbot: Hi wondering if this is currently still the case? Since AWS now has certificate manager, wondering if the situation has been changed? – Isaac Sep 04 '19 at 14:33
  • Wondering the same on Q4 2019 – Hugo Allexis Cardona Nov 19 '19 at 15:50
  • @HugoAllexisCardona there are no new developments, here, so far. There are underpinnings of API Gateway that you can sniff out -- such as the fact that when you attach an ACM certificate to a custom domain in API Gateway, you can't accidentally delete the certificate because it shows to be "in use" by eitther multiple application load balancers in a different AWS account or by a hidden CloudFront distribution -- illustrates that API Gateway uses ALBs (regional) or CloudFront (edge-optimized) as part of its infrastructure behind the scenes... and ALB and CloudFront don't support this, either. – Michael - sqlbot Nov 19 '19 at 18:18