Srce Cde
Published in

Srce Cde

How to whitelist IP addresses in Amazon HTTP API

Photo by Michael Dziedzic on Unsplash

How to enable Amazon HTTP API to serve requests originating from specific IP addresses?

In this article, I will share how to whitelist IP addresses within HTTP API to entertain requests originating from whitelisted IP addresses and reject the rest of the requests.

Unlike REST API, HTTP API does not have an option of resource policy where one can add the functionality to control the traffic based on IP addresses. Hence, to add the functionality within HTTP API one of the options is to control the traffic via Lambda Authorizers with Simple or IAM policy response mode.

As a next step, we will create a setup of how to enable Amazon HTTP API to entertain requests based on origin.


We will set up everything from scratch. To get started, create two lambda functions (one for the back-end integration of the specific API route and another for Authorization).

Lambda function 1 (Back-end integration)

After creating the second lambda function, update the source code of the same from here:

The above code will check & validate the static authorization token as a part of the IAM policy response mode (can be extended to add/validate other methodologies)along with the validation of request origin.

Lambda function 2 (Lambda Authorizer)

Post deploying the code, add the environment variable IP_RANGE with the list of IP addresses that need to be whitelisted.

Environment variable (Lambda)

As a next step, create the HTTP API from API Management Console. Post creation, create the route (/test) along with the GET method.

Next, create and attach the lambda integration (Lambda function 1) to the GET method.

Finally, create and attach the lambda authorization (Lambda function 2) to the GET method.

While the HTTP API is created, it comes with a default stage and the auto-deployment is enabled. Hence, we can use it.

Here, the setup is successful. Now, we can test it.


For testing, we will use Postman and the setup will look as below.

The API endpoint will return 403 Forbidden if the IP address is not whitelisted as a part of an IP_RANGE environment variable.

Result, before whitelisting the IP

After whitelisting the IP address as a part of an IP_RANGE environment variable, the endpoint will return status code 200 with an appropriate response.

Result, after whitelisting the IP

Finally, we made our endpoint secure in a way.

For a detailed end-to-end, step-by-step setup, you can refer to the video below.

If you have any questions, comment feedback then please leave them below.




All about you need to know. The purpose of sharing the knowledge. Know more learn more. The blog that will help you learn, know and implement.

Recommended from Medium

S03E11: I am not a clever man

What You Need to Know About Python Virtual Environments

Python vs C

Reset local git repository to same like remote


What is Filebase and How do you use it?

Protect your .NET desktop app from being hacked

Commands useful for Application Administrators in linux server systems for troubleshooting issues…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Srce Cde

Srce Cde

AWS Community Builder | YouTuber:

More from Medium

What is Serverless Architecture and AWS?

How to hit AWS Step Functions limitations…

AWS Lambda: Hidden treasures

Introduction to AWS Lambda and Serverless