By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Allow access to EC2 instance only from server component of Amplify app.

0

I have a web app that consists of two major parts. The front end is an Amplify app. The back end API is running on an EC2 instance. The Amplify app is communicating with the EC2 instance through a server component, so the request is coming from the Amplify server (not from the browser that the user is accessing the Amplify app with).

I have managed to set up the connection between the front end and the back end.

How can I, on a network/firewall level allow access to the EC2 instance only from the specific Amplify servers that are hosting my app? I don't want just anyone to access my back end API.

I saw a similar question here https://repost.aws/questions/QUJFmBNzxlSTaO19EUnH-W3g/restricting-access-to-an-ec2-web-app-to-only-amplify-app-access but that is regarding connection from the browser.

I know I can use a password or a token to restrict the API, but I don't want it to be reachable at all, except for the Amplify App.

Topics
Front-End Web & MobileCompute
Tags
AWS AmplifyAmazon EC2
Language
English
TS
asked 3 months ago322 views
1 Answer
0

Hello.

Amplify hosts its applications on CloudFront and S3, so I think it's difficult to narrow it down to a specific IP address.
So, although I have not tried it, it may be possible to allow only Amplify by restricting the connection source host on the Apache side using something like "Require host".

[edit]
Since there is a managed prefix list for S3, it may be possible to use this to restrict it with security groups.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html

Please check the following document for settings to allow prefix lists in security groups.
https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists-referencing.html#prefix-list-vpc-security-group

profile picture
EXPERT
Riku_Kobayashi
answered 3 months ago
  • TS
    3 months ago

    Thank you Riku for your answer.

    I tried using only the managed prefix lists for Cludfront (com.amazonaws.global.cloudfront.origin-facing) and S3 (com.amazonaws.eu-north-1.s3) as the inbound rules for the Security Group for the Load Balancer for the EC2 Instance, but it doesn't work. It won't let traffic through from the Amplify app.

    I did set up a Load Balancer and Web ACL when I found the previous answer I linked in my original question. Through the Web ACL logging, I can see the IP addresses that are used by the Amplify App. If I put a CIDR group containing those IPs in the inbound rules for the Security Group, the requests are allowed through. I suspect those IP ranges might change though. Is there a way to use something like the ARN of my Amplify App to identify where the requests are coming from?

    If I temporarily allow all incoming traffic to the Load Balancer, I can compare the logs in the Web ACL for different requests. If I compare the requests that are coming from Amplify and a request I manually make from my browser, the only differences I can see are httpRequest.clientIp, httpRequest.headers and httpRequest.requestId. No trace of the ARN in those logs. Is there another way to limit the traffic?

  • Riku_Kobayashi EXPERT
    3 months ago

    Is there a way to use something like the ARN of my Amplify App to identify where the requests are coming from?

    As far as I know, there is no function to identify the sender's IP address etc. from ARN.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content