I want to restrict the access to my application server by specifying the whitelisted IPs. This is possible by adding them in the security group inbound rules. But my application also uses the API gateway to proxy some of the apis and redirects to the server. Considering the usecase, is it possible for me to whitelist the API gateway?
- I'm using application load balancer (no provision to use the NLB or other)
Is there any work around?
CodePudding user response:
If you want to block API Call your API Gateway you can use a Ressource Policy on API gateway to block / allow IP.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["sourceIpOrCIDRBlock", "sourceIpOrCIDRBlock"]
}
}
}
]
}
Yan can also use a AWS WAF in front of your ALB and API Gateway to block or allow IPs