I'm having an Application Load Balancer and an API Gateway. I'm trying to enforce the flow in such a way that only the requests from API-Gateway is allowed to access my loadbalancer. Is there some way I could use AWS WAF to get it done?
Asked
Active
Viewed 456 times
1
Neeraj
- 1,769
- 3
- 24
- 41
-
I don't think so. From what I see a recommended way is to use [NLB + ALB combo](https://stackoverflow.com/questions/53715115/what-is-the-best-way-to-restrict-access-to-an-application-load-balancer). – Marcin Mar 05 '20 at 08:25
-
1Alternatively, you could enforce requests coming from API Gateway on the targets of your ALB by using client-side certificates. https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html – Suraj Bhatia Mar 05 '20 at 18:55
1 Answers
2
API gateway supports so called Private Integrations which use VpcLink resource and NLB. With them you can:
expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
The docs also provide a tutorial how to use them: Build an API with API Gateway Private Integration
Marcin
- 215,873
- 14
- 235
- 294
-
I can't use NLB, NLB can't handle paths at the moment. Using an NLB+ ALB Combo is expensive. – Neeraj Mar 08 '20 at 17:06