1

I'd like to expand my serverless application to the second aws region, so that it works in active-active model.

Currently I have a public api-gateway secured with WAF.

I'd like to add a cloudfront distribution in front of that api-gateway and then add the second api-gateway deployed to another region as an origin.

I've created a POC and can see that the requests coming from cloudfront are blocked by WAF.

I know I can use api-key, custom header for authenticating cloudfront distribution to waf/api-gateway but maybe there's another more elegant solution for this?

Appreciate any help. Thanks!

yatamanpl
  • 31
  • 4

1 Answers1

1

CloudFront origin groups use the second origin only if the first one does not answer, so more an active/standby setup.

If your goal is to load balance trafic transparently to region A and region B, an active/active setup, I'd rather use DNS load balancing:

  • CNAME api.myservices.com -> apiA.myservices.com
  • CNAME api.myservices.com -> apiB.myservices.com

You can also use a geoproximity or latency policy to route users to the most appropriate region.

The API Gateway can benefit from Edge acceleration without the need to deploy CloudFront in front.

PS: if you put a CloudFront distribution in front of your API you can activate the WAF service at CloudFront level rather than at the API Gateway level.

MarcC
  • 413
  • 3
  • 12
  • Thank you! I haven't created POC yet so maybe you can help me with that question: If I associated WAF directly do cloudfront would the api-gateway be publicly available then? – yatamanpl Aug 17 '23 at 13:15
  • 1
    AFAIK yes the API GW URL will be public. You can restrict access to CloudFront if you configure your behaviour to send a custom header and you check this header is present in an API authorizer. Check the [approach recommended for an ALB](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html). – MarcC Aug 17 '23 at 13:30