AWS Private API’s using Serverless Framework.
AWS lets us secure APIs in many ways, one of them is by deploying APIs in a VPC and letting only the resources inside a VPC access them.
Using API Gateway, we can create private REST APIs that can only be accessed from our virtual private cloud in Amazon VPC by using an interface VPC endpoint.
So What is an interface VPC endpoint and How to create one?
An interface VPC endpoint (interface endpoint) lets you connect to services powered by AWS PrivateLink.
In our case, we will create an endpoint for API Gateway. This endpoint and VPC details will then be used to deploy our APIs using Serverless Framework.
I assume you have your VPC, subnets, and security group in place before we start with endpoint creation.a
The Steps to create an endpoint are as follows:
- Select VPC from the services dropdown in the AWS Console.
- Select Endpoints from the left panel as in the below image:
3. It will open a panel that will let you create endpoints, click on the Create Endpoint button, that's also visible in the above image.
4. The Service category will be autoselected for you as “AWS services”, choose Service Name as com.amazonaws.us-east-1.execute-api. My VPC is in the N. Virginia region so us-east-1.
5. Next, select your VPC, subnets, and security group and click on create Endpoint.
6. You will get a VPC endpoint ID something as — vpce-0axxxxxxxxxx
7. We need to use this VPC endpoint and other VPC details in our serverless.yml file as:
Here, the additional details we have specified are as -
- endpointType as Private
- vpcEndpointIds — The VPC Endpoint that we created above.
- vpc details that include (securityGroupdIds and subnetIds)
- Lastly, the resource policy. It states that only allow those services that comply to the VPC condition, i.e. which are in the VPC given by sourceVPC tag are allowed to access the resource, given in the Resource tag.
- In short, my API deployed in a VPC will be accessed only by the services in that VPC. A service could be my application running on an EC2 that resides in the same VPC.
8. Now you can deploy your API’s and they can be invoked as :
https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
https://qXX-vpce-0axxxxxxxxxx.execute-api.us-east1.amazonaws.com/dev/test
That’s it, no need to maintain an additional headache of securing your APIs using auth tokens, headers, etc, when AWS has taken away load from our shoulders, with its amazing services.
Please get in touch in case of any queries.
Thanks.
