- Newest
- Most votes
- Most comments
Hello.
I think you need to allow the backend IP address of API Gateway in AWS WAF.
In other words, for Lambda, you will need the Lambda IP address, and for EC2, you will need the EC2 IP address.
Since it is the backend resource that makes the http request, I don't think I can access it even if I allow the API Gateway IP address in the AWS WAF.
How do I keep track of the changes of the API gateway ip addresses in ip-ranges.json so that it won't create false positive in the long run?
I think you can use the SNS topic described in the document below to detect updates to ip-ranges.json.
I think it is possible to use the following SNS topic to notify when a change occurs and change the IP address range with Lambda etc.
https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html#subscribe-notifications
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi, our Web ACL is to protect the backend services on ECS fargate. Our API is before WAF. So we want to use the originates from ip address rule in WAF to only allow requests through AWS API gateway.
Are you saying that you only want to access ECS from API Gateway? In that case, I think you should use API Gateway's VPC Link as shown in the document below. By using VPC Link, it is possible to configure API Gateway using ECS in a private subnet. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vpc-links.html
We would like to allow say 90% of the traffic to pass through to the backend ECS service if the request is from AWS API gateway. Will allow the remaining 10% to access the ECS service directly if they meet certain criteria. So we're thinking of using AWS API gateway ip address set as one of the criteria. Is this a viable solution? Thanks.