Secure your private API access with NetFoundry-- AWS API Gateway example

Private APIs provide a secure method to invoke APIs via an VPC endpoint. API Gateway private integration makes it easier to expose your HTTP/HTTPS resources. Applications can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.

 

 

This tutorial will use  the NetFoundry Platform to create network fabric to access a private example API in AWS.

Assumptions:

1. AWS Account

2. AWS CLI installed on your system and connected to your AWS Account.

2. NetFoundry Teams Account

Pre-requisites :

1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.

2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption. 

The guide has the details. 

https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements

________________________________________________________________________________________________________________

 

Step 1. Build the Network using our Getting started Guide.

https://support.netfoundry.io/hc/en-us/articles/4418243181453-Sign-up-for-NetFoundry-console-access-and-create-your-Zero-Trust-Network

 

Step 2. Create endpoint identity in NetFoundry. (remote user identity)

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.

Download the resulting "endpoint_name.jwt". Follow directions for desired OS below:

Windows

Mac

Linux

 

Step 3. Create NetFoundry Edge Router and deploy NetFoundry Edge Router resource in AWS.

Follow the steps outlined here (with video)

https://support.netfoundry.io/hc/en-us/articles/360016342971-Deployment-Guide-for-AWS-Edge-Routers

 

Step 4. Deploy Private endpoint into VPC.

From the VPC menu, select Endpoints from the menu and select Create Endpoint. Select Name, AWS Service and choose the api service:  com.amazonaws.us-west-1.execute-api

 

private_link.jpg

 

Then select desired VPC, subnets, security group (if any) and finally Full Access for this example.

Depending on your VPC DNS settings, you may have disable DNS name from the VPC Additional Setting dialogue box.

pl4.jpg

 

 

private_link2.jpg

pl3.jpg

 

Record your VPC Endpoint ID:  vpce-0c09e538f94bbab3c (sample)

 

 

Step 5. Create API and associated URI for testing.

From the API Gateway Menu, select  create.jpg

Then Select Rest API and hit build

build.jpg

 

Choose Rest and Example API and Private and Import

 

example2.jpg

Once your API is built, you will need to apply a Resource Policy, here is a sample open policy for your testing. Select Resource Policy on the left and paste the following into the code box then hit save.

 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*"
}
]
}

 

Now lets deploy your API from the API menu

 

deploy.jpg

 

Record this URL, it will be joined with you Private Link to be accessed privately over the NetFoundry network.

 

api-url.jpg

 

You must connect the API Gateway to the VPCE resource with the following command:

 

aws apigateway update-rest-api \
--rest-api-id 'your api id' \
--patch-operations "op='add',path='/endpointConfiguration/vpcEndpointIds',value='vpce-your vpce id'" \
--region your-region

 

NOTE: Deploy API once again.

 

 

Step 6. Create NetFoundry service and AppWAN

 

You must form your Private Endpoint API URI by inserting the VPCE ID between the API ID and the rest of your URL.

 

form_uri.jpg

 

 

From the NetFoundry console select the services dialogue box and hit Add.

 

addservice.jpg

 

Insert your base URL into the Intercept Host Name field with port 443

Select Endpoint Hosted and select the router you installed in your VPC in Step 3 above.  Enter the URL and port into the Host Configuration box and hit create. 

 

your_api_id-vpce-your_VPCE_ID.execute-api.your-region.amazonaws.com

 

 

 

api_service.jpg

 

Select AppWAN from the Network Dashboard and hit the Blue + in the upper right corner.

From the Services Attribute box , click and select the service from the step above.

From the Endpoint Attribute box, click and select the endpoint created in Step 2 above.

Hit Create.

 

 

Step 5. Connect to API with NetFoundry platform.

 

From your Browser

 

test.jpg

 

From CLI (example, set your URL specifics)

 

curl -X GET "https://fwbr4gyzb1-vpce-07ffdf4bd13f06bd8.execute-api.us-west-2.amazonaws.com/demo" -H "accept: application/json"

 

 

 

 

 

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.