By using AWS re:Post, you agree to the Terms of Use

API Gateway and a FW Appliance will one do all


We are migrating most of our on-prem to AWS, but will have a VPN connection between them. Traditionally we have used fortigate FWs on premise which act as the GW to all traffic from the internet. A lot of our customers connect to APIs and websites we host.

On-prem the APIs use the KONG GW behind the FortiGate's and for the Websites we use a NLB behind the Fortigates.

I'm stuck between the decision of using a API gateway with Cloud Front alone or using a FW appliance in front of the API GW.

The API GW only deals with HTTP & HTTPS traffic, hence for other services we may be putting in AWS I would have thought we would need a FW appliance.

As the AWS account will be dealing with Ingress Internet traffic, we will need traffic inspection which both solutions provide.

We will also be creating multiple VPCs for DEV, ITG and Prod. So I was looking at the GWLB so we could also create a Security VPC with FW Appliances that could serve the different VPCs for Ingress and Egress traffic.

Is it normal to want to use a FW appliance and API GW at the same time. I see no examples on the internet.

I'm aware you can put a WAF device between Cloud Front and the API GW and I'm also aware you can put you API GW behind a FW Appliance in a private subnet.

I just want to follow best practice. Surely an API GW will not do everything for me, what about all the other services/protocols which maybe in use.

The API GW will be needed, but I'm also thinking I will need a FW Appliance.


1 Answers

There's a lot to unpack here and this answer won't do it justice - I strongly recommend that you reach out to your local AWS Solutions Architect who can have a conversation with you in depth about this. If they can't, they can find a networking expert who can. That said:

I would always use an API Gateway instead of a firewall for API Gateway "type tasks" for many reasons. First, API Gateway is scalable and you only pay for what you use. You also get very find-grained controls down to the method level. You can modify requests and check for specific attributes - all without scaling your back end.

But: If you're dealing with other types of traffic (non HTTP) then a firewall might be the best choice.

You're right, API Gateway won't do everything for you. But neither will a firewall.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions