{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 可以哭但决不认输i 的问题《Can I specify HTTP endpoint in a VPC as resource i》','https://www.manongdao.com/q-1230362.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a situation when my product(some Web API) is living inside of VPC, i.e. with no any any external access. I'd like to expose the part of this APIs(just a couple of HTTP methods) to be accessible from the internet. I'm trying to achieve this using AWS API Gateway but it looks like I cannot make internal ELB endpoint the API Gateway resource. Any ideas how can I do this?
Thanks, --Vovan
It's somewhat of a circuitous path, but you can proxy your Web service endpoints that are in a VPC through a Lambda function. That Lambda function can be called directly from the API Gateway. This blog post gives details on how to do that.
This was originally not possible, and then was solved with support for client certificates that API Gateway could use to authenticate itself to your services. This was a good solution, and is still available, but still required your services to be exposed -- at least in some sense -- to the Internet.
In November, 2017, AWS released a new capability that allows you to actually provision a network path between API Gateway and your internal services.
Historical context follows.
As of now, there is no simple and foolproof way to do this, because your services that are accessible to API Gateway need to be accessible via/exposed to the public Internet and there is no built in trust mechanism by which you can be assured that such a request actually originated from any API Gateway deployment, much less your API Gateway deployment.Amazon seems to have solved the issue of authenticating requests to your back-end services as having assuredly come, not only from API Gateway, but from your API Gateway instance. As before, endpoints still need to be exposed to the Internet, since the source IP address is not predictable -- but API gateway now supports client SSL certificates, which the back-side of API Gateway uses to authenticate itself to the front-side of your back-end service, that API gateway is calling.
When you generate a client certificate in the API Gateway console, you're provided with the public key for that certificate. For security, the private key is retained by API Gateway and is not accessible to you. API Gateway will present the public key to your back-end when negotiating SSL. Any peer not presenting that same public key is not API gateway, and your back-end should deny SSL negotiation.
If a malicious actor should ever come into possession of the public key, they would not still be able to communicate with your back-end over SSL, because they would lack the mated private key, which is only known to API Gateway. (Your side of the interaction would be encrypted using your SSL certificate and it's mated private key, which is of course, known only to you.)
This capability addresses what previously appeared to be a significant limitation of the utility of API Gateway's HTTP proxy functionality... a limitation of such significance, in fact, that when I discovered the revised information, above, I began to doubt myself: Had this been there all along, and I had somehow managed to overlook it? The Wayback Machine says no, it's new. This information was added in September, 2015.