Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I manage dynamic IP address changes on my application in API Gateway?
I encounter connectivity issues in Amazon API Gateway and receive error messages such as, "Connection refused" or "Access denied". I want to know how to manage dynamic IP address changes in API Gateway on my application.
Short description
You might get the "Connection refused" or "Access denied" error message for the following reasons:
- You allow your API Gateway endpoint IP address in your application firewall.
- You use your endpoint IP address as a destination IP in a DNS record.
To resolve these issues, take the following actions.
Resolution
Identify relevant IP address ranges
Review the current JSON-formatted IP address ranges. The published API Gateway IP address ranges are only for outbound traffic, and they frequently change. You can allow the IP address ranges based on the endpoint.
Based on your endpoint or API type, use the following service identifiers to identify relevant IP addresses:
- For AWS Regional API endpoints: API_GATEWAY, AMAZON, EC2
- For HTTP APIs: API_GATEWAY, AMAZON, EC2
- For edge-optimized endpoints: CLOUDFRONT
Note: For Regional endpoints and HTTP APIs, API_GATEWAY is only an outbound IP address. For inbound IP addresses, use AMAZON or EC2. EC2 is a subset of AMAZON IP addresses. For edge-optimized endpoints, CLOUDFRONT includes the CLOUDFRONT_GLOBAL_IP_LIST and CLOUDFRONT_REGIONAL_EDGE_IP_LIST ranges, and you must allow both ranges.
To get all the IP address ranges for a specific service identifier, such as API_GATEWAY, run the following command:
- jq -r '.prefixes[] | select(.service=="API_GATEWAY") | .ip_prefix' < ip-ranges.json
Note: Replace API_GATEWAY with the service identifier that you want all IP address ranges for.
To centralize the list of IP address ranges that you can access from anywhere, create an Amazon Virtual Private Cloud (Amazon VPC) customer-managed prefix list. For more information, see Customer-managed prefix lists.
Subscribe to IP address range change notifications
IP address changes don't follow a defined schedule. To get notifications for IP address changes, subscribe to AWS IP address range notifications.
IP address range change notification example:
{ "create-time":"yyyy-mm-ddThh:mm:ss+00:00", "synctoken":"0123456789", "md5":"6a45316e8bc9463c9e926d5d37836d33", "url":"https://ip-ranges.amazonaws.com/ip-ranges.json" }
Implement an automated process to update firewall rules for AWS hosted resources
To automate firewall rule updates, use the AWS Lambda console to add an Amazon Simple Notification Service (Amazon SNS) topic trigger for a Lambda function. The Lambda function compares IP address ranges between a previously stored version in Amazon Simple Storage Service (Amazon S3) and the newly updated ip-ranges.json file. Then, the function uses an AWS SDK to automatically update IP addresses in security groups or AWS WAF rules. For more information, see Building a difference checker with Amazon S3 and AWS Lambda.
Use a static IP address workaround
Note: The following workarounds might incur additional costs and latency to your setup.
Use a Network Load Balancer
A Network Load Balancer automatically provides a static IP address for each Availability Zone. The application can use the static IP address as the frontend IP address of the load balancer. A Network Load Balancer can also assign an Elastic IP address for each Availability Zone.
Use a Network Load Balancer to route client requests to an Amazon Elastic Compute Cloud (Amazon EC2) instance, and then proxy the requests to API Gateway. To proxy requests to API Gateway, install NGINX on your instance as a reverse proxy. For instructions, see Installing nginx on the NGINX website.
Use Global Accelerator
AWS Global Accelerator uses static IP addresses to allow internet-facing APIs for end users.
To get static IP addresses that act as a fixed entry point to their application endpoints in one or more Regions, use Global Accelerator. Then, use Application Load Balancers, Network Load Balancers, or Amazon EC2 instances to proxy the API requests to API Gateway. For more information, see Accessing an AWS API Gateway via static IP addresses provided by AWS Global Accelerator.
Note: If you require internet-facing communication from the network and must reject all other traffic, then enter the static IP address in your security policies.
Use a Lambda integration
Complete the following steps:
- Create a Lambda integration on the API.
- Attach the Lambda function to a virtual private cloud (VPC), where subnets use a NAT gateway that has an Elastic IP address for outbound traffic.
- Allow a single, static IP address for external services. Lambda runs in private subnets, and a NAT gateway operates in public subnets.
- To restrict inbound traffic, add the static IP address in your security policies or firewalls in your backend applications.
Related information
- Language
- English
Relevant content
- asked 6 months ago
- asked 4 years ago
