Secure your private API access with NetFoundry-- AWS API Gateway example

Private APIs provide a secure method to invoke APIs via an VPC endpoint. API Gateway private integration makes it easier to expose your HTTP/HTTPS resources. Applications can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.

 

 

This tutorial will use  the NetFoundry Platform to create network fabric to access a private example API in AWS.

Assumptions:

1. AWS Account

2. AWS CLI installed on your system and connected to your AWS Account.

2. NetFoundry Teams Account

Pre-requisites :

1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.

2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption. 

The guide has the details. 

https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements

________________________________________________________________________________________________________________

 

Step 1. Build the Network using our Getting started Guide.

https://support.netfoundry.io/hc/en-us/articles/4418243181453-Sign-up-for-NetFoundry-console-access-and-create-your-Zero-Trust-Network

 

Step 2. Create endpoint identity in NetFoundry. (remote user identity)

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.

Download the resulting "endpoint_name.jwt". Follow directions for desired OS below:

Windows

Mac

Linux

 

Step 3. Create NetFoundry Edge Router and deploy NetFoundry Edge Router resource in AWS.

Follow the steps outlined here (with video)

https://support.netfoundry.io/hc/en-us/articles/360016342971-Deployment-Guide-for-AWS-Edge-Routers

 

Step 4. Deploy Private endpoint into VPC.

From the VPC menu, select Endpoints from the menu and select Create Endpoint. Select Name, AWS Service and choose the api service:  com.amazonaws.us-west-1.execute-api

 

private_link.jpg

 

Then select desired VPC, subnets, security group (if any) and finally Full Access for this example.

Depending on your VPC DNS settings, you may have disable DNS name from the VPC Additional Setting dialogue box.

pl4.jpg

 

 

private_link2.jpg

pl3.jpg

 

Record your VPC Endpoint ID:  vpce-0c09e538f94bbab3c (sample)

 

 

Step 5. Create API and associated URI for testing.

From the API Gateway Menu, select  create.jpg

Then Select Rest API Private and hit build

 

Choose Example API 

Select private API endpoint type, select the VPC endpoint created in step 4, select an appropriate option for warnings and create your API.

Once your API is built, you will need to apply a Resource Policy, here is a sample open policy for your testing. Select Resource Policy on the left, create a policy and paste the following into the code box then hit save.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*"
}
]
}

Now lets deploy your API from the API menu

 

Step 6. Create CloudZiti service and service policy

 

You must form your Private Endpoint API URI by inserting the VPCE ID between the API ID and the rest of your URL.

 

form_uri.jpg

 

Example: https://niu8wv75oi-vpce-0a10aa20b2d3dd637.execute-api.ap-southeast-1.amazonaws.com/prod/pets

 

From the CloudZiti console select the services dialogue box and hit Add.

 

 

Insert your base URL into the Intercept Host Name field with port 443

Select Endpoint Hosted and select the router you installed in your VPC in Step 3 above.  Enter the URL and port into the Host Configuration box and hit create. 

 

your_api_id-vpce-your_VPCE_ID.execute-api.your-region.amazonaws.com

 

 

Select Service Policy from the Network Dashboard and hit the Blue + in the upper right corner.

From the Services Attribute box , click and select the service from the step above.

From the Endpoint Attribute box, click and select the endpoint created in Step 2 above.

Hit Create.

 

Step 5. Connect to API with NetFoundry's CloudZiti platform.

 

From your Browser on your device running CloudZiti endpoint 

 

test.jpg

 

From CLI (example, set your URL specifics)

 

curl -X GET "https://fwbr4gyzb1-vpce-07ffdf4bd13f06bd8.execute-api.us-west-2.amazonaws.com/demo" -H "accept: application/json"

 

 

 

 

 

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.