AWS API Gateway private integration with mutual TLS

0

Is mutual TLS supported with private resource integration in HTTP API gateway? I created HTTP integration that routes traffic into private ALB's HTTP listener. After that I implemented mutual TLS by using this quide: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ While testing certificate authentication I created second set of certificates and used second set's client key and pem to authenticate successfully against first sets keystore. This is behavior should not be possible. With this configuration api gateway demands, that clients sends certificate and key, but never verifies them against specified truststore. Tested this setup by switching private integration to lambda integration and TLS operated like it should, by verifying the certificate against truststore.

How to reproduce:
-create HTTP API gateway API with lambda integration (used ANY /)
-create custom domain for the API, with mutual TLS enabled and default endpoint disabled
-create 2 set of certificates and client keys
-TLS should check the validity of the client certificate and prevent mixing certificates between sets
-switch lambda integration to private alb integration with HTTP listener
-test TLS again by mixing certificates
-API gateway accepts mixed certificates
-As an side effect in this configuration gateway ignores the default endpoint disable setting and enables bypassing the TLS completely.

1개 답변
1

As per the doc (https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html), private APIs don't support mutual TLS.

In order to do that, you would need something like: Client -> NLB -> Proxy (to handle mTLS) -> interface VPC endpoint for API Gateway -> private API

You can have a look at this blog post: https://aws.amazon.com/pt/blogs/aws-brasil/suportando-mutual-tls-mtls-utilizando-certificados-do-icp-brasil-para-o-open-banking-no-brasil-utilizando-o-amazon-api-gateway/, it's in Portuguese but you will see the architecture, and can probably translate.

profile pictureAWS
답변함 3년 전
전문가
검토됨 3년 전
  • I'm aware that mutual TLS for private API gateways are not supported, but in my case I'm using public API gateway with VPC link. Shouldn't this configuration be supported, as only difference between functional and nonfunctional configurations is to swap lambda integration with VPC link integration?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인