问题
I have built an AWS API Gateway API endpoint which will be hit by one of the machines of my company's network to POST data every regular interval. But, the office firewall blocks it when I try it from office network through Postman (but when I use mobile hotspot/other wifi, it works seamlessly due to no firewall challenge), so I have to give the range of IP addresses to be white-listed by the office network team to be able to hit the API endpoint.
Where to get the IPs? Will they be constant or changing? Since it is a long process of raising tickets for IPs to be white-listed by the network security team, is there a smooth process on the same?
Also, is there a risk associated to this way of data push from on-prem to cloud? I've already implemented AWS IAM Authorization and also API-Key for security and access control. If there still is a risk, how to make this process totally secured?
Please help!
回答1:
Unluckly you can not give a static IP to an API Gateway as it can change without notice, that is by AWS Design. What you can do in such case is to have a reverse poxy with and elastic IP associated that will transparently route your http traffic to the API Gateway (Then you need a domain name and a certificate because you will not use the APIGateway name anymore)
Also, is there a risk associated to this way of data push from on-prem to cloud? I've already implemented AWS IAM Authorization and also API-Key for security and access control. If there still is a risk, how to make this process totally secured?
There's nothing totally secured in any organization, but in order to secure in transit data, you should use an encrypted channel like https (which is natively supported by API Gateway). That is why you need a domain name and a certificate for the proxy
来源:https://stackoverflow.com/questions/57410386/whitelist-ip-of-aws-api-gateway-api-endpoint-in-companys-firewall