By using AWS re:Post, you agree to the Terms of Use

Firewall Appliance in front of API Gateway


Hi Guru's, I have an organisation which desires that traffic is private and runs through a traditional security perimeter which includes an AWS Firewall! Some consumers are external and call the API Gateway from the internet using a RESTful call. The intention is that the API Gateway uses a private endpoint inside a DMZ VPC behind a WAF and Firewall, but is presented externally (Potentially using the AWS Firewall to achieve this which routes the traffic to the private API Gateway). The organisation would like the DMZ API Gateway to call another Service API Gateway which then calls the APIs in the same VPC via their private endpoint. The initial call to the DMZ API Gateway uses OpenID Connect for authentication. The internal API's call each other using Mutual TLS Auth. I have provided a basic diagram of the desired setup but based on my research I am not sure this is feasible. Can anyone provide information as to whether this is possible, and suggest a configuration that could be used? We are happy to use other devices such as NLB etc to achieve this objective. Many thanks in advance.

High Level Architecture

1 Answers

First, this architecture won't work because you can't present a Network Firewall endpoint publicly. You must have something that has an Elastic IP attached to it (so in this case, probably Application Load Balancer) and then direct the traffic to Network Firewall.

Second, I wouldn't recommend this architecture. Given the features available in APi Gateway (in terms of pulling inbound requests apart; checking them for validity; and acting as an ingress point for all requests) and that you can attach WAF to API Gateway I would question the value of adding a firewall to the mix. In short, I think there are better ways of doing this although I totally understand that customers are often comfortable with the approach of "but this is the way we've always done it".

If it were me, I'd use API Gateway and (maybe) WAF to go with it - because it provides a high level of security for a low level of complexity.

Given the complexity of this design and the customer requirements I'd strongly recommend that you get in touch with your local AWS Solutions Architect to discuss the best way forward. Not trying to avoid a conversation here - more that this is something much easier accomplished interactively rather than in this particular format.

answered 23 days ago
  • Thanks very much for your response. Appreciate your comments that this may not be the best architecture, but it may be the only architecture I can get through a traditional security team. The Organisation also has a hard requirement for IPS, which may involve using a 3rd party IPS device i.e. a Firewall with IPS as the front door and removing the AWS Firewall from the architecture. With this in mind, if I place a 3rd party Firewall/IPS device inline, remove the AWS Firewall, would the architecture be viable? I will also use the company channels to initiate a conversation with an AWS architect interactively.

  • Yes, you can place a third-party IPS/Firewall device as the primary, Internet-facing device - but then that leads to scaling issues; single point of failure problems. You could put a load balancer (again: ALB) in front of the IPS/Firewall appliance and while that is better it's still not a great solution. There are other ways to do this but (as you've pointed out) they are difficult to propose to customers who are still thinking traditionally.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions