我可以在VPC指定HTTP端点资源在AWS API网关? [英] Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway?
问题描述
我有一种情况,当我的产品(某些Web API)是生活VPC内,也就是没有任何任何外部访问。我想揭露这个API的(只是一对夫妇的HTTP方法)的一部分,是从互联网访问。我试图做到这一点使用AWS API网关,但它看起来像我不能让内部ELB终端API网关资源。任何想法我怎么能做到这一点?
I have a situation when my product(some Web API) is living inside of VPC, i.e. with no any any external access. I'd like to expose the part of this APIs(just a couple of HTTP methods) to be accessible from the internet. I'm trying to achieve this using AWS API Gateway but it looks like I cannot make internal ELB endpoint the API Gateway resource. Any ideas how can I do this?
谢谢, --Vovan
Thanks, --Vovan
推荐答案
<打击>截至目前,没有简单的傻瓜式的方式来做到这一点,因为你的服务,这是访问的API网关需要通过/访问暴露在公网上的和的没有内置的,通过它可以得到保证,这样的要求实际上是源于信任机制的任意的API网关的部署,要少得多的您的API网关部署。
As of now, there is no simple and foolproof way to do this, because your services that are accessible to API Gateway need to be accessible via/exposed to the public Internet and there is no built in trust mechanism by which you can be assured that such a request actually originated from any API Gateway deployment, much less your API Gateway deployment.
亚马逊似乎已经解决了认证请求到后端服务,具有肯定来了,不仅从API网关的问题,而是从的您的API网关实例。和以前一样,终点仍然需要暴露在互联网,因为源IP地址不在predictable - 但API网关现在支持客户端SSL证书,其中API网关的背面使用验证自己到前面您的后端服务的 - 侧,该API网关呼叫。
Amazon seems to have solved the issue of authenticating requests to your back-end services as having assuredly come, not only from API Gateway, but from your API Gateway instance. As before, endpoints still need to be exposed to the Internet, since the source IP address is not predictable -- but API gateway now supports client SSL certificates, which the back-side of API Gateway uses to authenticate itself to the front-side of your back-end service, that API gateway is calling.
问:能否亚马逊API网关内的亚马逊VPC工作
没有。亚马逊API网关终端始终是公开到互联网。代理请求到后端的操作也需要在因特网上公开访问。但是,您可以生成亚马逊API网关客户端SSL证书来验证请求您的后端系统是由API网关发送使用证书的公钥。
No. Amazon API Gateway endpoints are always public to the Internet. Proxy requests to backend operations also need to be publicly accessible on the Internet. However, you can generate a client-side SSL certificate in Amazon API Gateway to verify that requests to your backend systems were sent by API Gateway using the public key of the certificate.
问:我可以验证它的API网关呼叫我的后端
是的。亚马逊API网关可以生成客户端的SSL证书,使该证书的公钥提供给您。调用后端可以与生成的证书进行,并且可以验证呼叫使用证书的公钥从亚马逊API网关发起。
Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.
&mdash; https://aws.amazon.com/api-gateway/faqs/#security
在生成API网关控制台客户端证书,你所提供的公共密钥该证书。为了安全,私有密钥是由API网关保留,不能访问你。 API网关将在协商SSL present公钥来后端。任何对没有presenting相同的公钥不在API网关和后端应该拒绝SSL协商。
When you generate a client certificate in the API Gateway console, you're provided with the public key for that certificate. For security, the private key is retained by API Gateway and is not accessible to you. API Gateway will present the public key to your back-end when negotiating SSL. Any peer not presenting that same public key is not API gateway, and your back-end should deny SSL negotiation.
如果一个恶意的演员应该不断进入藏公钥,他们不会仍然能够与您的后端通过SSL进行沟通,因为他们缺乏交配的私人密钥,只知道API网关。 (您的互动方面将使用SSL证书进行加密,它的交配私钥,这是当然的,只知道你。)
If a malicious actor should ever come into possession of the public key, they would not still be able to communicate with your back-end over SSL, because they would lack the mated private key, which is only known to API Gateway. (Your side of the interaction would be encrypted using your SSL certificate and it's mated private key, which is of course, known only to you.)
此功能的地址是什么previously似乎是API网关的HTTP代理功能......如此重要,限制该实用程序的一个显著的限制,事实上,当我发现修改后的信息,上面,我开始怀疑自己:有了这个一直存在,一直以来,我都不知怎么忽略呢? Wayback机器说不,这是新的。这信息中添加了九月,2015年。
This capability addresses what previously appeared to be a significant limitation of the utility of API Gateway's HTTP proxy functionality... a limitation of such significance, in fact, that when I discovered the revised information, above, I began to doubt myself: Had this been there all along, and I had somehow managed to overlook it? The Wayback Machine says no, it's new. This information was added in September, 2015.
这篇关于我可以在VPC指定HTTP端点资源在AWS API网关?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
