DDOS APIGateway protection
I want to secure API Gateway (HTTP) with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.
Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?
You can consider API Gateway Private Integrations. This will enable you to use API Gateway Private Endpoints
Thanks for answer @Rajarshi_D
I'm using HTTP API Gateway and I don't have problem with integrations that are exposed to the Internet. My concern is that my API Gateway is exposed to the Internet even when I'm using Cloudfront distribution in front of it. If someone will find where is my API Gateway, he will be able to attack it without going through Cloudfront.
Is there any way to hide API Gateway from the Internet and expose it through Cloudfront?
Relevant questions
DDOS APIGateway protection
asked 2 months agoHow are DDoS related charges handled?
Accepted Answerasked 3 months agosecure API GW with WAF
asked 2 months agoWhat are the benefits of using Amazon CloudFront together with Amazon API Gateway?
Accepted Answerasked 2 years agoAPI Gateway Attack Protection
Accepted Answerasked 3 years agoProtect HTTP Api Gateway with WAF
asked 2 months agoProtect and secure http API GW
Accepted Answerasked 2 months agoprotect http API GW when CF has S3 as origin
asked 2 months agoAPI Key injection for http API
asked 2 months agoHttp Api and response compression
asked 2 years ago