I have an AWS API gateway that I created with zappa and an ECR docker image. I assigned the lambda function to a VPC but can no longer access the API.
I created an internet gateway and have the route table routing 0.0.0.0/0 and ::/0 to it.
I have all traffic allowed on all ports on the security group as well.
However, whenever I try to access any endpoints I get a timeout error. If I take the lambda function out of the VPC I am able to access all the endpoints.
You cannot access API gateway from lambda directly, if your lambda inside VPC. In this case you have to use VPC endpoint.
You can use Lambda functions to proxy HTTP requests from API Gateway to an HTTP endpoint within a VPC without Internet access. This allows you to keep your EC2 instances and applications completely isolated from the internet while still exposing them via API Gateway. By using API Gateway to front your existing endpoints, you can configure authentication and authorization rules as well as throttling rules to limit the traffic that your backend receives.
Reference: https://aws.amazon.com/blogs/compute/using-api-gateway-with-vpc-endpoints-via-aws-lambda/#:~:text=Conclusion,exposing%20them%20via%20API%20Gateway
Related
I am using azure kubernetes for backend deployment. I have 2 URLs one is API URL(api.project.com) and other one is BFF URL(bff.project.com).
From Web application, instead of calling API URL(api.project.com) they use BFF URL(bff.project.com) which internally calls the API URL(api.project.com) and sends the response.
I now want to restrict direct usage of API URL(api.project.com) even from any REST API Clients(like postman, insomnia, ...) it should only work when triggered from BFF URL(bff.project.com).
We have used nginx-ingress for subdomain creation and both the URLs(BFF and API) are in same cluster.
Is there any firewall or inbuilt azure services to resolve the above mentioned problem ?
Thanks in Advance :)
You want to keep your api private, only accessible from another K8S service, so don't expose it using your ingress controller and it simply won't be accessible outside K8S to any client.
This means that you lose the api.project.com address (although you can get that back if you really want to, it seems unnecessary). The BFF would then access the API via the URL: http://<service-name>.<namespace>.svc.cluster.local:<service-port>, which in your case might be:
http://api.api_ns.svc.cluster.local
Assuming you haven't used TLS (http rather than https), the service is called api, it's running on port 80 (which it should be) and the namespace is called api_ns.
Should you need to provide temporary access to the API for developers to use, say, postman, then they can use port-forwarding to provide that in a dev environment without allowing external access all the time.
However, this won't restrict access to BFF alone. Any service running in K8S could access the API. If you need/want to restrict things further, then you have a lot of options.
I am trying to figure out how to access the Api Gateway service API (aka "Manage Amazon API Gateway") from a lambda running in a VPC. Not I'm not trying to invoke an resource method in a private API (I'm aware of how to create an execute-api VPC interface endpoint), just calling an AWS service method (get-api-key, FWIW, using a Python boto3 client). Hope that makes sense, hard to articulate this clearly with so many overloads of "API" here. Current attempts fail with a timeout, so I presume it's VPC-related, but I'm not sure how to provide access. I don't see any obvious endpoint types that would do so. I've seen references to using a NAT gateway for extra-VPC resources, but I'm not clear how (or if) this would apply. The VPC has a NAT Gateway configured, and the Lambda's security group allows all outbound traffic, see configurations below. Appreciate any suggestions.
NAT Gateway Configuration
Lambda Network Configuration
Accessing the Amazon API Gateway Control Plane API endpoints requires Internet access.
Lambda functions in a VPC can't access the Internet without a NAT Gateway or another type of NAT device. See How do I give internet access to my Lambda function in a VPC? ... or provision your Lambda function outside the VPC if it doesn't really need to be inside a VPC. Provisioned outside a VPC, Lambda functions have Internet access automatically.
I have a small application comprising three services:
A single page application (SPA) served from nginx
A simple nodejs HTTP API used by the SPA
An MQtt broker exposing ports 1883 and 9001
Ideally I'd like the all to be served from the same subdomain and static IP address and have been trying to configure this in Kubernetes on the Google Cloud Platform.
I've created deployments for each of the services, with the SPA exposing port 80, the API 3000 and the MQTT broker 1883/9001. I've then followed the instructions here to set up a static IP and a Service to route to the SPA, then created similar services for the API and the MQTT app. (I've initally adapted these from deployments and services generated from a docker-compose file and Kompose).
The SPA and API seem to work fine but the MQTT service does not. When I run kubetl get events I see:
Error creating load balancer (will retry): failed to ensure load balancer for service default/mqtt-broker: failed to create forwarding rule for load balancer (a5529f2a9bdaf11e8b35d42010a84005(default/mqtt-broker)): googleapi: Error 400: Invalid value for field 'resource.IPAddress': '35.190.221.113'. Specified IP address is in-use and would result in a conflict., invalid
So I'm wondering if I should be creating a single service to route to the three deployments but can't find any documentation or examples that explain how to do this for a non http service.
I guess I could put the mqtt service on a separate IP address but this seems to be hacking around the problem rather than solving it.
Thanks in advance for any advice.
I eventually found an almost identical use case to my own on this github repository.
In essence, they are creating the MQTT broker on a separate static IP and using Kubernetes API calls to expose the details to the front end, which they explain in the following comment at the top of the web.yaml file:
This needs a bit of trickery
as it needs to expose the LB ip address for the MQTT server. That
requires kubernetes API calls to look it up, and the ability to
store it somewhere (we put it in a secret). To be secure this is
done with a dedicated service account and an init container.
https://github.com/IBM/ny-power
Actually I have database which has IP based restriction and now if I'm calling API using API Gateway Invoke URL, then got error because can't connect with database.
Question:
How do we know IP address of hosting server of API gateway.
You don't. It's a large pool of dynamic IP addresses.
You didn't mention a Lambda function in the mix, but that would be the only way that comes to mind that you could use to originate requests behind API Gateway with a static source address. The Lambda function would need to be associated with subnets whose default route points to a NAT Gateway in a VPC. The NAT Gateway always has a static IP address.
Let's consider this simple scenario for the AWS API Gateway.
I have a resource with a request path variable /numbers/{id} and two http endpoints: http://odd.number.io and http://even.number.io.
How can I setup AWS API Gateway to route requests to one or the other endpoint when the id is an odd or an even number?
Is this possible?
That is not possible with API Gateway alone. You could proxy through a Lambda function where you can execute a logical decision, but API Gateway itself doesn't have support this kind of logical rule.