问题
Ideally, I'd like to lock down my ALB so that it can only be accessed by API Gateway.
I've looked into whether I can associate API gateway with an Inbound Rule - however, I have found that API Gateway cannot be associated with an IP address, or a security group. I've also looked into an Internal facing ALB, but I've been unable to get these working as VPC link only supports NLB.
Any help will be greatly appreciated - I've been looking in the Gateway Settings but cannot find this option.
What is the best way to approach this so that the ALB is as restricted as possible?
回答1:
The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.
Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.
回答2:
Depending on the use case, one possibility is secure your backend instead of the ALB using client SSL certificates. Generate and Configure an SSL Certificate for Backend Authentication
来源:https://stackoverflow.com/questions/53715115/what-is-the-best-way-to-restrict-access-to-an-application-load-balancer