Optimal Method for Establishing Connectivity from On-Premises Web Server to AWS Public API Gateway via Direct Connect

Question

Hello Everyone,

I am currently working on a solution to establish connectivity from our on-premises setup to the AWS Public API Gateway. In our scenario, we lack a firewall for secure access to the public network from on-prem, but we do have a Direct Connect in place. I'm exploring possibilities to leverage AWS for secure access to a public resource.

The proposed plan involves the following steps, utilizing the API Gateway as a reverse proxy:

On-Prem Infra -->> Direct Connect (DX) --> VPC Endpoint --> VPC --> Private API GATEWAY --> Public endpoint

This setup aims to facilitate a secure pathway for accessing the public API Gateway. I would greatly appreciate any feedback or suggestions you may have regarding this approach.

Best regards,
Anil

Answer

By default, DX connection is not encrypted at rest, so you can use Site-to-Site VPN connection to combine with your solution to create a secure layer.
Here is some refs for you:
https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html

Answer

This approach, i.e., connecting from on prem to API Gateway to connect to the internet will work. You need to define a Private API and access it via the VPC Endpoint.

Even though the API is Private, you can use it to access public resources. A Private API means that you can access it only from a VPC.

Optimal Method for Establishing Connectivity from On-Premises Web Server to AWS Public API Gateway via Direct Connect

Relevanter Inhalt