Security is an essential element of any application especially when it comes to the Restful API layer. Thousands of calls are made daily to share information via Rest APIs, making security a top concern for all organizations in all stages: designing, testing and deploying the APIs. We are living in an era where our private information is more vulnerable than ever before, so it’s very important to protect your APIs from threats and vulnerabilities that keep on increasing daily.
In addition to all the guidelines available for building a secure API, an important step is to make your API private. Attackers will not be able to launch any attack on your API if they can’t find it. Exposing your APIs to the public will add a range of security and management challenges that you can avoid.
Amazon has introduced AWS PrivateLink so you can choose to restrict all your API traffic to stay within your Amazon Virtual Private Cloud (VPC) which can be isolated from the public internet. Now you can create a private API in your Amazon API Gateway that can only be accessed from within your VPC. It eliminates the exposure of data to the public internet by providing private connectivity between VPCs, AWS services, and on-premise applications securely on the Amazon Network.
How can I make my API private?
In this blog, we’ll assume that you already have an API created in API Gateway with an endpoint of type Edge Optimized or Regional (publicly available) and a VPC in place. It can be your default VPC.
First Step – Create an Interface VPC Endpoint for API Gateway
To create an endpoint from the console, follow these steps:
In the VPC console page, choose Endpoints then Create Endpoint.
For Service Category, select AWS services.
For Service Name, choose the API Gateway service endpoint including the region to connect with Type as Interface. In this case, it will be com.amazon.{{region}}.execute-api.
Fill in the rest of the information (choose which VPC, Subnets, enable Private DNS and Security Groups) then choose Create Endpoint.
Second Step – Make your API private
Open the API Gateway console page to see the list of your deployed APIs. In this example, my API is called customer. Its endpoint is of type Edge Optimized so it’s publicly available:
To change the type of the Endpoint Configuration, press on the small gear on the upper-right corner and select Private in the endpoint type list:
Final Step – Define a Resource Policy for your private API
Choose your API
Select Resource Policy from the left navigation panel
Select “Source VPC Whitelist”
Substitute {{vpceID}} with the Endpoint ID that was created above in the first section
Press Save
You have now successfully made your API private and accessible only from your VPC.
Testing your API
The easiest way to test the availability of your API is by calling it from a Serverless Lambda Function. Follow the next steps to create a Lambda Function that calls your API from inside and outside your VPC:
Navigate to the Lambda console and choose Create Function.
Replace the template code in the code section with the following.
Replace {{url corresponding to a get request from your api}} with the GET url from the deployed version of your API in API Gateway.
3. In the Network section down, select your VPC, subnets and the security groups required.
4. Save the function then press on Test. You should receive a 200 response with the data returned from your API.
5. Now to call your API from outside your VPC, return to the Network section down and select “No VPC” from the VPC list.
6. Save the function then press on Test. In this case, you should get an error “getaddrinfo ENOTFOUND” which means that the Lambda could not find your API.
Integrating PrivateLink with API CZAR
API Czar (apiczar.io) is one of the tools that you can use to create an enterprise grade API that runs on AWS API Gateway and Lambda.
You can deploy any API created in API CZAR on AWS API Gateway by simply choosing “AWS Lambda/API Gateway App” in the packaging option when you’re packaging and deploying your application, and then follow the instructions in the README file generated.
Now with the PrivateLink feature, you can choose the deployment to be private on API Gateway by providing CZAR the Endpoint ID. API CZAR will deploy the API on AWS, configure the endpoint to be PRIVATE, and configure the Resource Policy to be accessed only from the needed VPC—all this in one command.
The steps to deploy a private API on AWS API Gateway from API CZAR are as follows:
Choose “Package and Deploy” from the options on the needed API as in the following figure.
2. Choose “AWS Lambda/API Gateway App” from the Packaging Options List, then fill out the required fields.
3. Press Next, generate the API and download the application as a zip file.
4. Follow the instructions in the README file generated with the app to deploy the application on AWS API Gateway.
After deploying your application to API Gateway, you can test your API using Lambda functions as in the previous section.