Amazon API Gateway integration with AWS WAF
- Published on
- Authors
- Name
- Binh Bui
- @bvbinh
Introduction
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.
Amazon API Gateway supports several types of integrations with AWS services and third-party services. In this post, we will focus on the integration with AWS WAF. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.
Why use Amazon API Gateway integration with AWS WAF?
Amazon API Gateway integration with AWS WAF is a great way to protect your APIs from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your APIs by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.
Demo - Amazon API Gateway integration with AWS WAF by using AWS CDK
In this demo, we will create an API Gateway API with a single GET method that will return a JSON response. We will then create a WAF rule that will block requests from a specific IP address. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.
Create an API Gateway API
First, we will create an API Gateway API with a single GET method that will return a JSON response. We will use the AWS CDK to create the API Gateway API.
// lambda function
const testFn = new NodejsFunction(this, 'MyFunction', {
entry: './function/index.ts',
runtime: lambda.Runtime.NODEJS_18_X,
handler: 'main',
bundling: {
externalModules: ['aws-sdk'],
minify: true,
},
})
// api gateway, this is just for testing
const api = new apigateway.LambdaRestApi(this, 'test-api', {
handler: testFn,
deployOptions: {
stageName: 'test',
},
})
Create a WAF ACL and WAF Rule
Next, we will create a WAF ACL and a WAF Rule allowing only requests from a specific location. We will use the AWS CDK to create the WAF ACL and WAF Rule.
const webACL = new wafv2.CfnWebACL(this, 'webACL', {
name: 'webACL',
description: 'This is WebACL for Auth APi Gateway',
scope: 'REGIONAL', // or CLOUDFRONT for CloudFront
defaultAction: { block: {} }, // default action is block all request
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'webACL', // metric name for CloudWatch
sampledRequestsEnabled: true,
},
rules: [
{
name: `demo-api-auth-gateway-geolocation-rule`,
priority: 30,
action: { allow: {} },
visibilityConfig: {
metricName: `demo-AuthAPIGeoLocation`,
cloudWatchMetricsEnabled: true,
sampledRequestsEnabled: false,
},
statement: {
geoMatchStatement: {
countryCodes: ['US', 'VN'], // allow US and VN IP. You can add more country codes
},
},
},
],
})
This will create a WAF ACL with a single WAF Rule allowing only requests from a specific location(US and VN). We will then associate the WAF ACL with the API Gateway API.
// Web ACL Association
const webACLAssociation = new wafv2.CfnWebACLAssociation(this, 'webACLAssociation', {
webAclArn: webACL.attrArn, // Web ACL ARN from above
// For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
resourceArn: Fn.join('', [
'arn:aws:apigateway:', // service
Stack.of(this).region, // region
'::/restapis/', // resource type
api.restApiId, // api id
'/stages/', // resource type
api.deploymentStage.stageName, // stage name
]),
})
// make sure api gateway is deployed before web ACL association
webACLAssociation.node.addDependency(api)
This will associate the WAF ACL with the API Gateway API. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.
The code for this demo is available on GitHub. You can deploy the demo by running the following commands.
git clone
cd apig-waf-cdk
yarn install
yarn deploy
Testing the API
After deploying the demo, we will test the API. We will use the following command to test the API.
curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test
The response should be similar to the following.
{
"message": "Hello from Lambda!"
}
Now, we will remove 'VN'(or your country code) from the WAF Rule and test the API again. We will use the following command to test the API.
curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test
The response should be similar to the following.
{
"message": "Forbidden"
}
The request is blocked because the request is from a location that is not allowed by the WAF Rule.
Conclusion
In this post, we have seen how to use Amazon API Gateway integration with AWS WAF by using AWS CDK. We have also seen how to test the API to see that the request is blocked.
The source code for this demo is available on GitHub.
That's all for now. Thanks for reading. If you have any questions or comments, please leave them below. I will try to answer them as soon as possible.