PA firewall traffic to AWS API gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA firewall traffic to AWS API gateway

L2 Linker

Planning to secure AWS infra using a VM firewall Palo Alto. Main AWS components are API Gateway & Lambda.
Traffic from external network (public) comes to API gateway and to lambda. Is it possible to route incoming traffic via PA firewall to API gateway.

22 REPLIES 22

is that screen shot through the firewall, or direct from a test client?

 

It's through the firewall.

 

Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.  

Hi @jmeurer 

Bastion host is not able to resolve the APIgw private URL. I gave 172.31.0.2 as DNS server for bastion host, still not resolving.

FW trust side IP is 172.16.99.x, VPC endpoint too 172.16.99.x and bastion host 172.16.99.

 

I read in various other forums "each endpoint also requires a valid API key supplied on a x-api-key HTTP header. If not present or valid, the APIs will return a 403 (Forbidden)"

https://codeburst.io/aws-api-gateway-by-example-3733d7792635

DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2.  Looks like your vpc is 172.16 but you set your dns server to 172.31.  

Thank you @jmeurer 

sorry for the late replies. am bugging around AWS networks & firewall.

I tried from Windows system in the same subnet as of VPC endpoint. 

Tried with API URL and endpoint IP, 

Both showing forbidden error.

Screenshots below.

With IP

IP_EP.JPG

With URL

APi_URL.JPG

Let me try on API GW settings.

Sounds like your endpoint is missing the resource policy to allow the instances to connect.

 

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway...

 

Thank you,

I have given full access in the VPC endpoint policy.

{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}

  • 14962 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!