将对Lambda或API网关的访问限制为特定的vpc [英] Limit access to lambda or api gateway to a specific vpc

问题描述

是否可以使 api网关或 lambda 功能只能由特定的vpc访问.

is it possible to make an api gateway or lambda function accessible only by a specific vpc.

我在亚马逊文档中进行了搜索，但未找到与此主题相关的任何信息.

I searched in amazon doc, but I didn't find anything about this subject.

提前谢谢

推荐答案

不幸的是，您将无法做到这一点(请参见下面的更新).

s3是通过 Bucket策略提供这种控制访问的服务.

s3 is the service which provides that kind of control access through Bucket policies.

您可以做的是向调用方(Lambda调用方和API调用方)授予权限.

What you can do is grant permissions to your callers (Lambda invoker and API caller).

看看这些资源:

• 通过IAM权限控制对API的访问
• 调用API的控件访问权限
• 管理对您的AWS Lambda的访问权限概述资源

• Control Access to an API with IAM Permissions
• Control Access for Invoking an API
• Overview of Managing Access Permissions to Your AWS Lambda Resources

更新: Michael-sqlbot

您可能会指出，无法实现这一根本原因的原因是可以从Internet访问Lambda服务API和API网关，这意味着调用方的VPC身份丢失了-但是，VPC可以由其NAT网关的EIP间接标识，该地址应可用于

You might point out that the underlying reason why this isn't possible is that both the Lambda service API and API Gateway are accessed from the Internet, which means the VPC identity of the caller is lost -- however, the VPC can be identified indirectly by the EIPs of its NAT Gateways, which should be usable against the aws:sourceIp IAM policy condition key, indirectly restricting access to any machine behind those EIPs, thus only in the VPC. Maybe it's a hack, maybe it's a workaround.

更新11/08/2018

介绍Amazon API Gateway私有端点

当今应用程序开发的最大趋势之一是使用API​​为支持产品的后端技术提供动力.移动，物联网，Web应用程序或内部服务彼此之间以及与应用程序前端之间进行通信的方式越来越多地使用某种API接口.

Update 11/08/2018

Introducing Amazon API Gateway Private Endpoints

One of the biggest trends in application development today is the use of APIs to power the backend technologies supporting a product. Increasingly, the way mobile, IoT, web applications, or internal services talk to each other and to application frontends is using some API interface.

构建基于API的应用程序的趋势不仅是转向微服务应用程序设计模式.较大的应用程序由许多较小的应用程序组件表示，这些组件通常也通过API进行通信.从初创企业到企业，各种公司共同使用的API和微服务的增长受到驱动.大规模，安全且以最小的操作开销管理API所需的工具数量也在不断增长.

Alongside this trend of building API-powered applications is the move to a microservices application design pattern. A larger application is represented by many smaller application components, also typically communicating via API. The growth of APIs and microservices being used together is driven across all sorts of companies, from startups up through enterprises. The number of tools required to manage APIs at scale, securely, and with minimal operational overhead is growing as well.

今天，我们很高兴宣布推出Amazon API Gateway私有端点.这是此服务最需要的功能之一.我们相信，这将使创建和管理私有API更加容易.

Today, we’re excited to announce the launch of Amazon API Gateway private endpoints. This has been one of the most heavily requested features for this service. We believe this is going to make creating and managing private APIs even easier.

私人端点

今天的发布解决了难题中遗漏的部分之一，那就是能够在您自己的VPC中使用私有API终结点.借助此新功能，您仍可以使用API​​网关功能，同时仅将REST API安全地公开给VPC内的其他服务和资源，或通过Direct Connect连接到您自己的数据中心的服务和资源.

Private endpoints

Today’s launch solves one of the missing pieces of the puzzle, which is the ability to have private API endpoints inside your own VPC. With this new feature, you can still use API Gateway features, while securely exposing REST APIs only to the other services and resources inside your VPC, or those connected via Direct Connect to your own data centers.

这是它的工作原理.

API网关私有终结点.接口端点通过在您的VPC内定义的子网中创建弹性网络接口来工作.然后，这些网络接口提供对在其他VPC中运行的服务或对AWS服务(如API网关)的访问.在配置接口端点时，您可以指定应通过哪些服务流量.使用私有DNS时，所有对该服务的流量都将定向到接口终结点，而不是通过默认路由(例如，通过NAT网关或公共IP地址)定向.

API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.

API网关作为完全托管的服务在其自己的VPC中运行其基础结构.当您与API Gateway公共可访问端点进行接口连接时，它是通过公共网络完成的.将它们配置为私有后，公共网络将无法用于路由您的API.相反，只能使用已配置的接口端点来访问您的API.

API Gateway as a fully managed service runs its infrastructure in its own VPCs. When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.

这篇关于将对Lambda或API网关的访问限制为特定的vpc的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！