Secure your private API access with NetFoundry-- AWS API Gateway example

Private APIs provide a secure method to invoke APIs via an VPC endpoint. API Gateway private integration makes it easier to expose your HTTP/HTTPS resources. Applications can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.

 

 

This article explains how to use  the NetFoundry Platform to create a private zero trust overlay to access a private test API in AWS.

Assumptions:

1. AWS Account

2. AWS CLI installed on your system and connected to your AWS Account.

3. NetFoundry Account

Pre-requisites :

1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.

2. NetFoundry traffic should be bypassed from any deep packet inspection in between since our solution involves mTLS and E2E encryption. 

The guide has the details. 

https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements

________________________________________________________________________________________________________________

 

Step 1. Create your NetFoundry account

If you are an existing customer having a NetFoundry Cloud account, proceed to step 2. Else get an account.

 

Step 2. Create endpoint identity in NetFoundry. (remote user identity)

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.

Download the resulting "endpoint_name.jwt". Follow directions for desired OS below:

Windows

Mac

Linux

Step 3. Create Edge Routers - NetFoundry  Hosted Edge Router and customer Hosted Edge Router resource in AWS.

You have an existing VPC that is DNS enabled. If you don't have one, pls create a new VPC. You can deploy the NetFoundry ER and the API in the same VPC or on different VPCs (that have a VPC peering between them or connected via transit gateways). Key is to ensure that the ER, VPC endpoint and APIGW are reachable within AWS. This article considers deployment of ER, API and VPC endpoint in the same VPC.

Follow the steps outlined here for creating your router customer edge router in AWS (with video)

https://support.netfoundry.io/hc/en-us/articles/360016342971-Deployment-Guide-for-AWS-Edge-Routers

Follow the steps outlined in the NetFoundry Hosted Edge Router section to create the NetFoundry Hosted router.

Make sure to create the edge router policy with the identities and the NetFoundry hosted routers (public). 

Step 4. Deploy Private endpoint into VPC.

 

From the VPC menu, select Endpoints from the menu and select Create Endpoint. Select Name, AWS Service and choose the api service based on the region that you are deploying the solution at. Example: com.amazonaws.ap-southeast-1.execute-api. Note that the endpoint type is interface

Then select desired VPC, subnets, security group and finally Full Access for this example.

 

pl3.jpg

 

Record your VPC Endpoint ID vpce-0a10aa20b2d3dd637 (sample)

 

Step 5. Create API and associated URI for testing.

From the API Gateway Menu, select  create.jpg

Then Select Rest API Private and hit build

 

Choose Example API 

Select private API endpoint type, select the VPC endpoint created in step 4, select an appropriate option for warnings and create your API.

Once your API is built, you will need to apply a Resource Policy, here is a sample open policy for your testing. Select Resource Policy on the left, create a policy and paste the following into the code box then hit save.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*"
}
]
}

Now lets deploy your API from the API menu

 

Step 6. Create CloudZiti service and service policy

 

You must form your Private Endpoint API URI by inserting the VPCE ID between the API ID and the rest of your URL.

 

form_uri.jpg

 

Example: https://niu8wv75oi-vpce-0a10aa20b2d3dd637.execute-api.ap-southeast-1.amazonaws.com/prod/pets

 

From the CloudZiti console select the services dialogue box and hit Add.

 

 

Insert your base URL into the Intercept Host Name field with port 443

Select Endpoint Hosted and select the router you installed in your VPC in Step 3 above.  Enter the URL and port into the Host Configuration box and hit create. 

 

your_api_id-vpce-your_VPCE_ID.execute-api.your-region.amazonaws.com

 

 

Select Service Policy from the Network Dashboard and hit the Blue + in the upper right corner.

From the Services Attribute box , click and select the service from the step above.

From the Endpoint Attribute box, click and select the endpoint created in Step 2 above.

Hit Create.

 

Step 7. Connect to API with NetFoundry's CloudZiti platform.

 

From your Browser on your device running CloudZiti endpoint 

 

test.jpg

 

From CLI (example, set your URL specifics)

 

curl -X GET "https://niu8wv75oi-vpce-0a10aa20b2d3dd637.execute-api.ap-southeast-1.amazonaws.com/prod/pets" -H "accept: application/json"

 

 

 

 

 

Was this article helpful?
1 out of 3 found this helpful