Limit access to Elastic Beanstalk to only via Apig...

Report Inappropriate Content · 02-14-2018 11:58 AM

Hi,

We currently have a few Reverse Proxies to our AWS Elastic Beanstalk applications however we would like to limit access to the EB applications so that only Apigee can access them. So far the best way I can think to do this is to limit the access to the Load Balancer to only Apigee's IP range but I was wondering if anyone out there has a better idea?

Thanks

Report Inappropriate Content

Apigee supports Mutual TLS(MTLS), so authenticating requests from Apigee can be done whitelisting certificates instead. This is cleaner and cloud-native approach as Apigee MP IPs are ephemeral, so Message Processors (MP) come and go as capacity expands or shrinks.

What type of app are you building on Elastic Beanstalk? I mean Node.js, Java, etc.

You can enable MTLS by something like AWS Gateway on your end.

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authent...

Report Inappropriate Content

Ah so I have to use API Gateway? I was hoping to not have to do that, for no other reason other that it is another link in the chain (web-app->apigee->apigateway->lb->eb->java-app)

Thanks anyway though.

Report Inappropriate Content

Two options that occur to me, if you want to save that hop:

Use mTLS directly from the java-app. Depending on your frameworks it's harder or more difficult. But it's doable.
Use JWT. If mTLS is somewhat cumbersome to configure and to manage, why not using JWT tokens generated from Apigee and validated in Beanstalk? Using a more or less complex algorithm.

Limit access to Elastic Beanstalk to only via Apigee Reverse Proxies