6

I'd like to have an API gateway to act a proxy that talks to an External API (let's call it E-API) with an attached token, on behalf of my AWS resources (Lambda, EC2 etc).

But E-API only accepts requests from certain whitelisted IPs agreed upon beforehand.

So we got an Elastic IP, but I'm kinda stumped about how to associate the IP with my API Gateway: so that when it sends off a HTTP to the E-API, it identifies itself as emerging out of that Elastic IP.

I have tried poking around the settings for VPC and Route53 but need help on how I can move forward?

Aditya M P
  • 322

2 Answers2

5

It's not possible to associate an Elastic IP address with an API Gateway.

However, even if it was possible, it would not solve your issue. This is because your executing code (either Lambda or an EC2-instance behind-the-scenes) is where your logic is running. It is from there that you want to have a fixed IP address that you can whitelist.

This is possible to do using a NAT Instance or NAT Gateway with an Elastic IP address.

  1. Setup a VPC to run your code in.
  2. Create a public subnet with a NAT instance or NAT gateway. Give this an Elastic IP address.
  3. Create a private subnet that talks to the internet via the NAT gateway.
  4. Configure your Lambda function(s) or your EC2 instances to execute in the private subnet.

If you do this, then all out-bound connections from your functions will exit from the NAT with the fixed IP address. You can then whitelist that Elastic IP address.

Matt Houser
  • 10,248
  • So in the logs of the third party API's servers, is it correct to say they would actually see the logs of my Lambda even if I'm routing or proxying the requests through the gateway? Assuming I don't create the VPC. – Aditya M P Apr 22 '16 at 12:50
  • For this to work, you'll need a VPC. In their logs they will only see your NAT's Elastic IP. If you don't do this then they will see the IP coming from your Lambda which will not be constant. – Matt Houser Apr 22 '16 at 13:29
  • That's interesting; I considered API gateways as some sort of "static appliance" especially because I can refer to them over the internet with a static domain, but I'm sure there's some magic going on in there to achieve that, which prevents me from using the process in reverse. – Aditya M P Apr 22 '16 at 14:17
  • A static domain does not always mean a static IP address. Your Lambda function is also not executing on the gateway. That's happening on another server. – Matt Houser Apr 22 '16 at 16:02
  • Of course. But what confuses me is that if the request is going through the gateway, then how does the external server see the lambda's IP address. – Aditya M P Apr 22 '16 at 16:57
  • Btw thanks for your time & patience. I've up voted but I'll accept once I implement I think :) – Aditya M P Apr 22 '16 at 16:58
  • When the connection exits via the NAT, the other end will see the NAT's IP, not the Lambda's. You want the external service to see a fixed IP, that will be the NAT's IP. – Matt Houser Apr 22 '16 at 17:07
  • No my question two comments ago was in the context of the NAT not being present. I get the benefits of the NAT, I'm just trying to understand all the pieces of the other side. – Aditya M P Apr 22 '16 at 17:22
  • Without using a NAT, the Lambda function is running on a server that has a direct connection to the internet. So it's external connections do not pass through any gateways. Thus, the external service will see the public IP address of whatever server the Lambda function executed on. – Matt Houser Apr 22 '16 at 17:26
  • Ah: but I'm talking of a setup where without a NAT, you can actually make your Lambda talk to an API gateway which in turn talks to the external API, acting as a sort of proxy. It is in this scenario that I am surprised that the external API can still see the Lamda's IP, but I'm not sure that's the case. – Aditya M P Apr 22 '16 at 17:28
  • You would actually want such a setup in a case where for example you have many lambdas in which you don't want to repeatedly store credentials, but have them all talk to this proxy API gateway which forwards requests along with an extra HTTP header attached. I've done that and thought it was a cool ability :) – Aditya M P Apr 22 '16 at 17:31
  • OK. Now I understand better. Your API gateway is configured to send directly to the external service. So Lambda -> API Gateway -> External API. I was thinking rather API Gateway -> Lambda -> External API. In your case, there's no way to fix the IP of the API gateway itself. You'd need to put something that can be fixed between the gateway and the external API. – Matt Houser Apr 22 '16 at 17:37
  • Haha okay thanks a lot! I should have put that ASCII diagram you made in my question. So I'll go ask AWS support now to please give us this feature :) – Aditya M P Apr 22 '16 at 17:47
0

This site has a great step-by-step explanation on how to achieve this. Hope this helps

RaR
  • 101
  • 3
    Thanks, I'll check it out. However IIRC StackExchange rules discourage users from posting a link alone with no introduction. Would be great if you posted a quick summary of the actual answer/procedure here, and then link to the rest of the full solution on that page. – Aditya M P Mar 18 '17 at 05:20
  • The title of the article is "AWS Lambdas with a static outgoing IP", hosted on medium.com, Financial Engines Tech Blog. The article actually describes a setup for static outgoing IP address and doesn't answer the question. – smirnoff May 26 '21 at 15:29