Srce Cde
Published in

Srce Cde

Allow access to API Gateway from specific IP addresses | Whitelist IPs

Photo by Viktor Forgacs on Unsplash

How to allow specific IP or range of IP addresses to access our REST API endpoints?

In this article, I will share how to whitelist an IP address to allow access to the REST API endpoint and deny/block all the requests originating from different source IPs. This article is purely for the APIs with REST protocol within API Gateway. The method/approach that we are going to use to control the whitelisting of IPs is via Resource Policy.

Here, I am going to allow/whitelist my IP address to access/invoke the API Endpoint and block the rest of the requests originating from sources other than my IP address.

Getting started

To get started, create a lambda function (requestService) which will be our back-end integration for our REST API Gateway (which we will create in a while). The lambda function will simply return the hard-coded response whenever the endpoint (GET method) will be invoked, without any business logic.

Post creation of the Lambda function, go ahead to API Management Console and create the REST API from scratch or you can also open any existing REST API. As a next step create the resource (/processrequest) along with the GET method. In the end, integrate the lambda function (requestService) with the GET method. Please refer to the below screenshot for integration.

For similar detailed step by step setup of the resources you can refer to my tutorial on Resources, method integration with lambda

Whitelisting IP address via Resource Policy

With the help of resource policy, we can restrict the API Endpoint invocation to specific requests originating from defined IP addresses and block/deny the rest of the requests.

After setting up the API Gateway and lambda function, open the API Gateway (which is created in the above step) and click on Resource Policy from the left panel, and copy & paste the below policy in the editor and click on Save.

Here, within policy, we have two statement blocks (i.e. Allow & Deny block). The first statement which allows statement states that we are going to allow all the API Endpoint invocations originating from any source to all the resources within our REST API.

In the second statement, we have defined explicit denial. The deny statement states that block all the requests from all sources to all resources but with a condition. The condition states that block all the requests except the request coming from the IP address mentioned in the NotIpAddress block.

As a next step, replace the YOUR IP ADDRESS placeholder with your IP address (you can simply google, whatmyip to fetch your IP address) for which you want to allow the API Endpoint invocation. Additionally, you can also define the IP range with the CIDR block. After modification, Click on Save

Finally, re-deploy the API for the changes to be reflected and get the Invocation URL.

Testing

Post-deployment, copy the invocation URL and paste it into a new tab in your browser and make sure to add /processrequest and hit Enter. As a result, you should be able to see the response coming from the lambda function.

To make sure, that the resource policy approach is working fine, go ahead and replace your IP address with localhost IP and click on Save. And re-deploy it.

Now if you re-hit the API endpoint again then it will return an error message as shown in the below reference image.

Finally, we made out endpoint secure in a way.

For a detailed step-by-step setup, you can refer to the video below.

If you have any questions, comment feedback then please leave them below.

--

--

--

All about you need to know. The purpose of sharing the knowledge. Know more learn more. The blog that will help you learn, know and implement.

Recommended from Medium

Using NLTK to Extract Most Common COVID-19 Symptoms From Reddit

More UIUC APIs

How Much Does It Cost To Develop An IOS App In 2022? A Complete Guide & Analysis

M3O— An open source AWS alternative

Boeing: from redundancy to fault tolerant control

PBS LearningMedia: Auto-Localization

Sep 29: Inside Cardstack This Week

How can Network Virtualization Help Boost Software Testing?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Srce Cde

Srce Cde

AWS Community Builder | YouTuber: https://youtube.com/srcecde

More from Medium

Scale GitHub Workflows With AWS ECS

Deploying A Docker Container to an AWS Cluster Using Terraform

Why did I start using MongoDB as a serverless database on Mongo Altas and not keep maintaining it…

Challenges and patterns for building event-driven architectures