1

I'm trying to expose an HTTP server to the internet. The server runs on a Fargate container inside a dedicated VPC. I could just expose it through a public Application Load Balancer (ALB) if it wasn't for the fact that requests to this server must be authenticated using IAM.

My approach was to put an AWS Gateway v1 in front of the service's load balancer. This Gateway verifies authentication through IAM, then relays the request to a Network Load Balancer (NLB) using a VPC Link. The NLB in turn routes it to the server itself.

Here's the problem: Api Gateway v1 does not support VPC Links to ALBs, only NLBs, but NLBs use TCP, while I'm exposing an HTTP server. This way I can't relay paths and other HTTP features through the Network Load Balancer. Api Gateway v2 does support VPC Links to ALBs, but it does not have a way to authenticate using IAM.

Is there any way to work around this problem?

barmanthewise
  • 359
  • 4
  • 10

1 Answers1

0

I am not sure why you think api gtw 2 does not allow IAM authentication or where you got that from? Can you put your cloudformation here or point to a git so I can test it with a policy? Can you put the link where it says that API GTW 2 does not suport IAM Authorization?

The documentation clearly mentions that you can use IAM Authorisers? https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/doc-history.html

Here is a blog that might help? https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/

You could go the long way and use Cognito Pool, link that to you API GTW, if what you say is true.

https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/

hope this helps, I'd be curious of your Cloud Formation if you are willing to share.

Scilla
  • 355
  • 2
  • 13