topic Re: PA firewall traffic to AWS API gateway in VM-Series in the Public Cloud

PA firewall traffic to AWS API gateway

charles07 — Mon, 07 Sep 2020 13:19:29 GMT

Planning to secure AWS infra using a VM firewall Palo Alto. Main AWS components are API Gateway & Lambda.
Traffic from external network (public) comes to API gateway and to lambda. Is it possible to route incoming traffic via PA firewall to API gateway.

Re: PA firewall traffic to AWS API gateway

jmeurer — Mon, 07 Sep 2020 16:26:02 GMT

The way I have solved this in the past is to configured the API Gateway with a private endpoint in the firewall VPC. Configure the the firewall pool behind a Public ALB to serve as you front end with your desired app cert. Use a source and destination NAT rule to forward that traffic through the firewalls to the API GW endpoint FQDN.

One nuance, if you intend to decrypt the traffic on the way through use a SSL Forward Proxy decryption profile rather than the more intuitive Inbound Decrypt profile. The API gateway does not allow you to load a custom cert when using a private endpoint. By flipping the profile, you can get around the SSL handshake errors. The ALB will ignore the self signed cert warning.

Re: PA firewall traffic to AWS API gateway

charles07 — Tue, 08 Sep 2020 09:50:29 GMT

Thank you @jmeurer

I was exploring around the method you said, could not get it done. Could you please help with the steps you followed?

Create Private APi

Private endpoint

......

Finally how was it linked with Palo Alto/Firewall DNAT.

Re: PA firewall traffic to AWS API gateway

jmeurer — Tue, 08 Sep 2020 13:15:30 GMT

I used this guide.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

When the private endpoint is created, it will have a zone redundant FQDN assigned to it. You use that FDQN as our destination in the NAT rule.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/configure-nat/configure-destination-nat-using-dynamic-ip-addresses.html

You do also need a source nat on the same rule to ensure the proper return path from the api GW to the firewall. That would typically be your trust side interface address.

Re: PA firewall traffic to AWS API gateway

charles07 — Thu, 10 Sep 2020 15:59:57 GMT

@jmeurer your reply is helping. I tried the following;

1. Create a sample lambda function of pet store - http://petstore-demo-endpoint.execute-api.com/petstore/pets

2. Created VPC endpoint

3. Created private REST API and attached endpoint

4. Created DNAT in PA with destination as VPC endpoint

**PA LAN and VPC endpoint are in same subnet

Now I called the URL http://PAWANIP/petstore/pets

Tried diff URLs, patterns, https nothing worked. Is there anything wrong in the method done.

Re: PA firewall traffic to AWS API gateway

jmeurer — Thu, 10 Sep 2020 16:29:22 GMT

Did you add a source translation to the NAT rule with the firewall's interface address? Otherwise the endpoint will try to respond directly to the original client IP.

If you spin up a bastion host in the VPC, can you access the end point? It could an SG on the endpoint not allowing the traffic in.

Re: PA firewall traffic to AWS API gateway

charles07 — Thu, 10 Sep 2020 17:38:56 GMT

Thank you @jmeurer

I did create an SNAT from internal to external with external interface IP.

DNAT from PA to an EC2 in AWS is working

I checked SG of API gateway, endpoint, lamda. It's all full allow.

Are the steps I followed correct?

Is the URL I used to call lambda correct?

Re: PA firewall traffic to AWS API gateway

jmeurer — Thu, 10 Sep 2020 18:07:34 GMT

That SNAT flow does not sound correct. The NAT rule that Destination Nats the traffic to Endpoint, should also have source translation set to the internal interface.

Would you mind posting screen shots of the nat rule.

Re: PA firewall traffic to AWS API gateway

charles07 — Fri, 11 Sep 2020 13:51:20 GMT

Re: PA firewall traffic to AWS API gateway

jmeurer — Fri, 11 Sep 2020 14:02:36 GMT

Assuming your IP specified it the Untrust IP and Eth1/2 is your Trust side interface, your NAT rule translated tab should look like this. This indicates that we are sending the traffic on to the API Endpoint and setting the source IP to be the internal interface of the firewall so that they endpoint knows where to respond to.

Re: PA firewall traffic to AWS API gateway

charles07 — Wed, 16 Sep 2020 13:57:20 GMT

Thanks,

It seems the luck has not turned yet. This is my NAT statement.

i used this doc to create private API and endpoint

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-private-cross-account-vpce/

If i try https://PAWANPublicIP/test/ nothing loads

I tried creating new APi with this doc (change i created a private API)

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html

If i try https://PAWANPublicIP/test/helloworld?name=John&city=Seattle nothing loads

No idea why is this happening, still trying the luck

Re: PA firewall traffic to AWS API gateway

jmeurer — Wed, 16 Sep 2020 14:22:57 GMT

Watch your security groups on the endpoint. Also, check the firewall to ensure the Virtual Router has routes to the endpoint subnets. Have you tried deploying a bastion into the Trust side subnet to test the endpoint directly? We need to determine if the issue is the firewall routing or the endpoint itself.

Re: PA firewall traffic to AWS API gateway

charles07 — Sat, 19 Sep 2020 12:42:01 GMT

Thank you @jmeurer

hard word paid off, now am able to load the lamda function result, although it's showing {"message":"Forbidden"}

so happy at-least traffic reaching APiGW.

If you have any idea why forbidden error, please share.

Re: PA firewall traffic to AWS API gateway

jmeurer — Sat, 19 Sep 2020 13:13:22 GMT

Good news. Message forbidden could be a result of a iam policy on the gateway. You may need to assign a role to firewall so that it has permission to access the gateway. It could also just be a formatting error in the api call.

if you deployed a bastion host into the firewall subnet, does it have the same response?

Re: PA firewall traffic to AWS API gateway

charles07 — Sun, 20 Sep 2020 17:35:07 GMT

screenshot attached

Re: PA firewall traffic to AWS API gateway

jmeurer — Mon, 21 Sep 2020 12:27:41 GMT

is that screen shot through the firewall, or direct from a test client?

Re: PA firewall traffic to AWS API gateway

charles07 — Mon, 21 Sep 2020 12:38:40 GMT

It's through the firewall.

Re: PA firewall traffic to AWS API gateway

jmeurer — Mon, 21 Sep 2020 12:41:52 GMT

Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.

Re: PA firewall traffic to AWS API gateway

charles07 — Tue, 22 Sep 2020 04:57:30 GMT

Hi @jmeurer

Bastion host is not able to resolve the APIgw private URL. I gave 172.31.0.2 as DNS server for bastion host, still not resolving.

FW trust side IP is 172.16.99.x, VPC endpoint too 172.16.99.x and bastion host 172.16.99.

I read in various other forums "each endpoint also requires a valid API key supplied on a x-api-key HTTP header. If not present or valid, the APIs will return a 403 (Forbidden)"

https://codeburst.io/aws-api-gateway-by-example-3733d7792635

Re: PA firewall traffic to AWS API gateway

jmeurer — Tue, 22 Sep 2020 11:38:38 GMT

DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2. Looks like your vpc is 172.16 but you set your dns server to 172.31.