Description:

API Gateway private endpoints enable use cases for building private API–based services inside your VPCs. You can now keep both the frontend to your API (API Gateway) and the backend service (Lambda, EC2, ECS, etc.) private inside your VPC.


Rationale: 

Now you can have the backend running on EC2 be private inside your VPC without the need for a publicly accessible IP address or load balancer. Beyond that, you can also now use API Gateway to front APIs hosted by backends that exist privately in your own data centers, using AWS Direct Connect links to your VPC. Private integrations were made possible via VPC Link and Network Load Balancers, which support backends such as EC2 instances, Auto Scaling groups, and Amazon ECS using the Fargate launch type.

Impact:

With this feature, you can still use API Gateway features, while securely exposing REST APIs only to the other services and resources inside your VPC, or those connected via Direct Connect to your data centers.


Default Value:

By default, the API Gateway is not restricted.


Pre-requisites:

  • A virtual private cloud (VPC) configured with at least one subnet and DNS resolution enabled.

  • A VPC endpoint with the following configuration:

    • Service name = “com.amazonaws.{region}.execute-api”

    • Enable Private DNS Name = enabled

  • An API Gateway managed API with the following configuration:

    • Endpoint Type = “Private”

    • An API Gateway resource policy that allows access to your API from the VPC endpoint.

Remediation:

Test Plan:

  1. Login to AWS management console

  2. Go to API Gateway at https://console.aws.amazon.com/apigateway

  3. Click on APIs in the left navigation pane 

  4. Select the API you want to examine.
  5. In the left panel Click on the Resource policy option.
  6. In the Resource policy check if any VPCsource-IPs is/are mentioned, if it is not mentioned then the API Gateway is not restricted to Private VPCs.



Implementation:


  1. Login to AWS management console 

  2. Navigate to API Gateway API Gateway (amazon.com)

  3. Make sure that you are in the same Region in which you just created the above stack.

  4. In the left navigation pane, choose Endpoints, Create Endpoint.

  5. For the Service category, keep it set to “AWS Services”.

  6. For Service Name, set it to “com.amazonaws.{region}.execute-api”.

  7. For VPC, select the one created earlier.

  8. For Subnets, select the two private labeled subnetprivate-labeled from this VPC created earlier, one in each Availability Zone. You can find them labeled as “privateSubnet01” and “privateSubnet02”.

  9. For Enable Private DNS Name, keep it checked as Enabled for this endpoint. 

  10.  For Security Group, select the group named “EndpointSG”. It allows for HTTPS access to the endpoint for the entire VPC IP address range. 

  11.  Choose to Create Endpoint 


Whitelisting VPC IPs in the API Resource policy:

  1. Login to AWS management console

  2. Go to API Gateway at https://console.aws.amazon.com/apigateway.

  3. Click on APIs in the left navigation pane

  4. Select the REST API you want to examine.
  5. Click on the Resource Policy under the API you opened.

  6. In the Resource Policy add the following command:

"Condition": { "NotIpAddress": { "aws:VPCSourceIp": ["VPCsourceIpOrCIDRBlock", "VPCsourceIpOrCIDRBlock"] }}


7.  For the aws:VpcSourceIp value, enter the private IP address of your HTTP client that's invoking your private API endpoint through the interface VPC endpoint. 



Backout Plan:

  1. Login to AWS management console

  2. Go to API Gateway at https://console.aws.amazon.com/apigateway.

  3. Click on APIs in the left navigation pane.

  4. Select the REST API you want to examine.

  5. Click on the Resource Policy under the API you opened.

  6. In the Resource, policy remove the VPCsourceIp clause.

References:

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/.

https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/



.