DDOS APIGateway protection

Question

I want to secure API Gateway (HTTP) with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Is this approach considered as secure? Cloudflare is using [Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Answer

Thanks for answer @Rajarshi_D

I'm using HTTP API Gateway and I don't have problem with integrations that are exposed to the Internet.
My concern is that my API Gateway is exposed to the Internet even when I'm using Cloudfront distribution in front of it. If someone will find where is my API Gateway, he will be able to attack it without going through Cloudfront.

Is there any way to hide API Gateway from the Internet and expose it through Cloudfront?

Answer

You can consider API Gateway Private [Integrations](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html).  This will enable you to use API Gateway Private [Endpoints](https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/)

DDOS APIGateway protection

관련 콘텐츠