How to allow specific IP or range of IP addresses to access our REST API endpoints?
In this article, I will share how to whitelist an IP address to allow access to the REST API endpoint and deny/block all the requests originating from different source IPs. This article is purely for the APIs with REST protocol within API Gateway. The method/approach that we are going to use to control the whitelisting of IPs is via Resource Policy.
Here, I am going to allow/whitelist my IP address to access/invoke the API Endpoint and block the rest of the requests originating from sources other than my IP address.
Getting started
To get started, create a lambda function (requestService) which will be our back-end integration for our REST API Gateway (which we will create in a while). The lambda function will simply return the hard-coded response whenever the endpoint (GET method) will be invoked, without any business logic.
Post creation of the Lambda function, go ahead to API Management Console and create the REST API from scratch or you can also open any existing REST API. As a next step create the resource (/processrequest) along with the GET method. In the end, integrate the lambda function (requestService) with the GET method. Please refer to the below screenshot for integration.
For similar detailed step by step setup of the resources you can refer to my tutorial on Resources, method integration with lambda
Whitelisting IP address via Resource Policy
With the help of resource policy, we can restrict the API Endpoint invocation to specific requests originating from defined IP addresses and block/deny the rest of the requests.
After setting up the API Gateway and lambda function, open the API Gateway (which is created in the above step) and click on Resource Policy from the left panel, and copy & paste the below policy in the editor and click on Save.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["YOUR IP ADDRESS", "IP CIDR BLOCK"]
}
}
}
]
}
Here, within policy, we have two statement blocks (i.e. Allow & Deny block). The first statement which allows statement states that we are going to allow all the API Endpoint invocations originating from any source to all the resources within our REST API.
In the second statement, we have defined explicit denial. The deny statement states that block all the requests from all sources to all resources but with a condition. The condition states that block all the requests except the request coming from the IP address mentioned in the NotIpAddress block.
As a next step, replace the YOUR IP ADDRESS placeholder with your IP address (you can simply google, whatmyip to fetch your IP address) for which you want to allow the API Endpoint invocation. Additionally, you can also define the IP range with the CIDR block. After modification, Click on Save
Finally, re-deploy the API for the changes to be reflected and get the Invocation URL.
Testing
Post-deployment, copy the invocation URL and paste it into a new tab in your browser and make sure to add /processrequest and hit Enter. As a result, you should be able to see the response coming from the lambda function.
To make sure, that the resource policy approach is working fine, go ahead and replace your IP address with localhost IP and click on Save. And re-deploy it.
Now if you re-hit the API endpoint again then it will return an error message as shown in the below reference image.
Finally, we made out endpoint secure in a way.
For a detailed step-by-step setup, you can refer to the video below.
If you have any questions, comments, or feedback then please leave them below. Subscribe to my channel for more.
Top comments (2)
You are welcome and I am glad it is helpful!