This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA firewall traffic to AWS API gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA firewall traffic to AWS API gateway

charles07
L2 Linker

‎09-07-2020 06:19 AM

Planning to secure AWS infra using a VM firewall Palo Alto. Main AWS components are API Gateway & Lambda.
Traffic from external network (public) comes to API gateway and to lambda. Is it possible to route incoming traffic via PA firewall to API gateway.

0 Likes Likes
22 REPLIES 22

jmeurer
L4 Transporter
In response to charles07

‎09-21-2020 05:27 AM

is that screen shot through the firewall, or direct from a test client?

 

0 Likes Likes

charles07
L2 Linker
In response to jmeurer

‎09-21-2020 05:38 AM

It's through the firewall.

 

0 Likes Likes

jmeurer
L4 Transporter
In response to charles07

‎09-21-2020 05:41 AM

Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.  

0 Likes Likes

charles07
L2 Linker
In response to jmeurer

‎09-21-2020 09:57 PM

Hi @jmeurer 

Bastion host is not able to resolve the APIgw private URL. I gave 172.31.0.2 as DNS server for bastion host, still not resolving.

FW trust side IP is 172.16.99.x, VPC endpoint too 172.16.99.x and bastion host 172.16.99.

 

I read in various other forums "each endpoint also requires a valid API key supplied on a x-api-key HTTP header. If not present or valid, the APIs will return a 403 (Forbidden)"

https://codeburst.io/aws-api-gateway-by-example-3733d7792635

0 Likes Likes

jmeurer
L4 Transporter
In response to charles07

‎09-22-2020 04:38 AM

DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2.  Looks like your vpc is 172.16 but you set your dns server to 172.31.  

0 Likes Likes

charles07
L2 Linker
In response to jmeurer

‎09-24-2020 05:11 AM

Thank you @jmeurer 

sorry for the late replies. am bugging around AWS networks & firewall.

I tried from Windows system in the same subnet as of VPC endpoint. 

Tried with API URL and endpoint IP, 

Both showing forbidden error.

Screenshots below.

With IP

IP_EP.JPG

With URL

APi_URL.JPG

Let me try on API GW settings.

0 Likes Likes

jmeurer
L4 Transporter
In response to charles07

‎09-24-2020 08:37 AM

Sounds like your endpoint is missing the resource policy to allow the instances to connect.

 

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway...

 

0 Likes Likes

charles07
L2 Linker
In response to jmeurer

‎10-01-2020 05:27 AM

Thank you,

I have given full access in the VPC endpoint policy.

{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}

0 Likes Likes
  • 14966 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks