By using AWS re:Post, you agree to the Terms of Use
/DDOS APIGateway protection/

DDOS APIGateway protection


I want to secure API Gateway (HTTP) with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

2 Answers

You can consider API Gateway Private Integrations. This will enable you to use API Gateway Private Endpoints

answered 2 months ago

Thanks for answer @Rajarshi_D

I'm using HTTP API Gateway and I don't have problem with integrations that are exposed to the Internet. My concern is that my API Gateway is exposed to the Internet even when I'm using Cloudfront distribution in front of it. If someone will find where is my API Gateway, he will be able to attack it without going through Cloudfront.

Is there any way to hide API Gateway from the Internet and expose it through Cloudfront?

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions