AWS API Gateway with AWS WAF

Question

I want to use AWS Web Application Firewall service with AWS API Gateway. AWS WAF works only with AWS CloudFront distributions.

According to this post https://forums.

Answer 1

Alright guys, i had a similar issue, what is best you can do at this stage is ,

have api gateway terminate the SSL - make a call from api gateway to your alb , elb or nlb (is the best , if it fits your architecture) - have alb protected by the WAF with two ruleset 1. white list all the api gateways ip 2. have the http header accepted by api gateway only

this way you are securing your infra to its best.

if you have nlb, then you can have the private link to NLB straight, keep in mind NLB doesnt support path based routing, and cross zone application failover

I have asked AWS to raise a feature request for the same

Answer 2

Unfortunately no, API Gateway does not provide access to the backing CloudFront distribution. To use WAF you would have to create a second distribution, which is inefficient but should functionally work.

Answer 3

AWS API Gateway recently (around November,2018) added this feature https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html