我可以将 VPC 中的 HTTP 端点指定为 AWS API Gateway 中的资源吗? [英] Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway?
问题描述
我的产品(某些 Web API)存在于 VPC 中,即没有任何外部访问权限时,我遇到了这种情况.我想公开这个 API 的一部分(只是几个 HTTP 方法),以便从 Internet 访问.我正在尝试使用 AWS API Gateway 实现这一点,但看起来我无法将内部 ELB 端点设为 API Gateway 资源.任何想法我该怎么做?
I have a situation when my product(some Web API) is living inside of VPC, i.e. with no any any external access. I'd like to expose the part of this APIs(just a couple of HTTP methods) to be accessible from the internet. I'm trying to achieve this using AWS API Gateway but it looks like I cannot make internal ELB endpoint the API Gateway resource. Any ideas how can I do this?
谢谢,--沃文
推荐答案
这最初是不可能的,但后来通过支持客户端证书解决了,API Gateway 可以使用这些证书来对自己的服务进行身份验证.这是一个很好的解决方案,并且仍然可用,但仍然需要将您的服务公开 - 至少在某种意义上 - 到互联网.
This was originally not possible, and then was solved with support for client certificates that API Gateway could use to authenticate itself to your services. This was a good solution, and is still available, but still required your services to be exposed -- at least in some sense -- to the Internet.
2017 年 11 月,AWS 发布了一项新功能,允许您在 API 网关和内部服务之间实际配置网络路径.
In November, 2017, AWS released a new capability that allows you to actually provision a network path between API Gateway and your internal services.
您现在可以在您的 Amazon Virtual Private Cloud (VPC) 中提供对 HTTP(S) 资源的访问,而无需将它们直接暴露给公共 Internet.您可以使用 API Gateway 创建与您的 VPC 集成的 API 端点.您可以通过在 VPC 和 Elastic Load Balancing 提供的网络负载均衡器 (NLB) 之间设置 VPC 链接来创建 VPC 的终端节点.
You can now provide access to HTTP(S) resources within your Amazon Virtual Private Cloud (VPC) without exposing them directly to the public Internet. You can use API Gateway to create an API endpoint that is integrated with your VPC. You create an endpoint to your VPC by setting up a VPC link between your VPC and a Network Load Balancer (NLB), which is provided by Elastic Load Balancing.
历史背景如下.
截至目前,还没有简单且万无一失的方法来做到这一点,因为 API Gateway 可访问的服务需要通过公共 Internet 访问/暴露给公共 Internet 和没有内置的信任机制可以让您确信此类请求实际上源自任何 API Gateway 部署,更不用说您的 API Gateway 部署.
As of now, there is no simple and foolproof way to do this, because your services that are accessible to API Gateway need to be accessible via/exposed to the public Internet and there is no built in trust mechanism by which you can be assured that such a request actually originated from any API Gateway deployment, much less your API Gateway deployment.
Amazon 似乎已经解决了对后端服务的请求进行身份验证的问题,因为它肯定不仅来自 API Gateway,而且来自您的 API Gateway 实例.和以前一样,端点仍然需要暴露在 Internet 上,因为源 IP 地址是不可预测的——但是 API 网关现在支持客户端 SSL 证书,API 网关的后端使用它向前端进行身份验证.API 网关正在调用您的后端服务.
Amazon seems to have solved the issue of authenticating requests to your back-end services as having assuredly come, not only from API Gateway, but from your API Gateway instance. As before, endpoints still need to be exposed to the Internet, since the source IP address is not predictable -- but API gateway now supports client SSL certificates, which the back-side of API Gateway uses to authenticate itself to the front-side of your back-end service, that API gateway is calling.
问:Amazon API Gateway 能否在 Amazon VPC 内工作?
没有.Amazon API Gateway 端点始终对 Internet 公开.对后端操作的代理请求也需要可在 Internet 上公开访问.但是,您可以在 Amazon API Gateway 中生成客户端 SSL 证书,以验证 API Gateway 使用证书的公钥向后端系统发送的请求.
No. Amazon API Gateway endpoints are always public to the Internet. Proxy requests to backend operations also need to be publicly accessible on the Internet. However, you can generate a client-side SSL certificate in Amazon API Gateway to verify that requests to your backend systems were sent by API Gateway using the public key of the certificate.
问:我可以验证它是 API Gateway 调用我的后端吗?
是的.Amazon API Gateway 可以生成客户端 SSL 证书并使您可以使用该证书的公钥.可以使用生成的证书调用后端,您可以使用证书的公钥验证源自 Amazon API Gateway 的调用.
Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.
—https://aws.amazon.com/api-gateway/faqs/#security
当您在 API Gateway 控制台中生成客户端证书时,您将获得该证书的公钥.为了安全起见,私钥由 API Gateway 保留,您无法访问.API Gateway 将在协商 SSL 时向您的后端提供公钥.任何不提供相同公钥的对等点都不是 API 网关,您的后端应该拒绝 SSL 协商.
When you generate a client certificate in the API Gateway console, you're provided with the public key for that certificate. For security, the private key is retained by API Gateway and is not accessible to you. API Gateway will present the public key to your back-end when negotiating SSL. Any peer not presenting that same public key is not API gateway, and your back-end should deny SSL negotiation.
如果恶意行为者获得了公钥,他们仍然无法通过 SSL 与您的后端通信,因为他们将缺少配对的私钥,而私钥只有 API Gateway 知道.(您的交互将使用您的 SSL 证书进行加密,并且它是配对的私钥,当然只有您知道.)
If a malicious actor should ever come into possession of the public key, they would not still be able to communicate with your back-end over SSL, because they would lack the mated private key, which is only known to API Gateway. (Your side of the interaction would be encrypted using your SSL certificate and it's mated private key, which is of course, known only to you.)
此功能解决了以前似乎是 API Gateway 的 HTTP 代理功能效用的重大限制……如此重大的限制,事实上,当我发现上述修改后的信息时,我开始怀疑自己: 这是否一直存在,而我以某种方式设法忽略了它?Wayback Machine 说不,它是新. 此信息于 2015 年 9 月添加.
This capability addresses what previously appeared to be a significant limitation of the utility of API Gateway's HTTP proxy functionality... a limitation of such significance, in fact, that when I discovered the revised information, above, I began to doubt myself: Had this been there all along, and I had somehow managed to overlook it? The Wayback Machine says no, it's new. This information was added in September, 2015.
这篇关于我可以将 VPC 中的 HTTP 端点指定为 AWS API Gateway 中的资源吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
