├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── hello_world
├── lambda_function.py
└── requirements.txt
└── template.yaml
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guidelines
2 |
3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
4 | documentation, we greatly value feedback and contributions from our community.
5 |
6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
7 | information to effectively respond to your bug report or contribution.
8 |
9 |
10 | ## Reporting Bugs/Feature Requests
11 |
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 |
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 |
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 |
22 |
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 |
26 | 1. You are working against the latest source on the *main* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 |
30 | To send us a pull request, please:
31 |
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 |
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 |
42 |
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 |
46 |
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 |
52 |
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 |
56 |
57 | ## Licensing
58 |
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7 | the Software, and to permit persons to whom the Software is furnished to do so.
8 |
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 |
16 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Integrating Amazon API Gateway private endpoints with on-premises networks
2 |
3 | Read the blog about this application:
4 | [Integrating Amazon API Gateway private endpoints with on-premises networks](https://aws.amazon.com/blogs/compute/integrating-amazon-api-gateway-private-endpoints-with-on-premises-networks/)
5 |
6 |
7 | ### Requirements for deployment
8 |
9 | * AWS CLI
10 | * AWS SAM CLI
11 | * AWS credentials that provide the necessary permissions to create the resources. This example uses admin credentials.
12 | * Amazon VPN or AWS Direct Connect with routing rules that allow DNS traffic to pass through to the Amazon VPC.
13 |
14 |
15 | ### Deploying
16 |
17 | In the terminal, use the SAM CLI guided deployment the first time you deploy
18 |
19 | 1. Navigate to the cloned repo directory. Alternatively, use the sam init command and paste the repo URL.
20 |
21 | 3. Build the AWS SAM application:
22 | ```bash
23 | sam build
24 | ```
25 | 4. Deploy the AWS SAM application:
26 | ```bash
27 | sam deploy –guided
28 | ```
29 |
30 | ## Cleanup
31 | 1. Open the CloudFormation console
32 | 1. Locate the stack using the name entered in SAM deployment.
33 | 1. Select the radio option next to it
34 | 1. Select **Delete**
35 | 1. Select **Delete stack** to confirm
36 |
37 | ## Security
38 |
39 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
40 |
41 | ## License
42 |
43 | This library is licensed under the MIT-0 License. See the LICENSE file.
44 |
45 |
--------------------------------------------------------------------------------
/hello_world/lambda_function.py:
--------------------------------------------------------------------------------
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 | import json
4 |
5 | print('Loading function')
6 |
7 | def lambda_handler(event, context):
8 | Body = {
9 | "response":{
10 | "resultStatus": "SUCCESS"
11 | }
12 | }
13 |
14 | return {
15 | "isBase64Encoded": False,
16 | "statusCode": 200,
17 | "headers": {
18 | "Content-Type": "application/json"
19 | },
20 | "body": json.dumps(Body)
21 | }
22 |
--------------------------------------------------------------------------------
/hello_world/requirements.txt:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/template.yaml:
--------------------------------------------------------------------------------
1 | AWSTemplateFormatVersion: '2010-09-09'
2 | Transform: AWS::Serverless-2016-10-31
3 | Description: >-
4 | Builds a VPC wtih 2 private subnets, security groups, policies, VPC Endpoint, a private API Gateway and a Route53
5 | inbound resolver.
6 | Parameters:
7 | apiName:
8 | Default: privateAPIBlogDemo
9 | Description: Friendly name for your API Gateway
10 | Type: String
11 | onPremCIDR:
12 | AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
13 | Default: 172.31.0.0/16
14 | Description: Your On-Premises CIDR Block (eg 172.31.0.0/16), You can add more entries in the prefix list resource
15 | Type: String
16 | Globals:
17 | Api:
18 | OpenApiVersion: 3.0.1
19 | Resources:
20 | OnPremisesPrefixList:
21 | Type: AWS::EC2::PrefixList
22 | Properties:
23 | PrefixListName: "corporate-network-CIDRs"
24 | AddressFamily: "IPv4"
25 | MaxEntries: 10
26 | Entries:
27 | - Cidr: !Ref onPremCIDR
28 | Description: "IT Network 1"
29 | Tags:
30 | - Key: "Name"
31 | Value: "IT Network 1-Servers"
32 | MyVPC:
33 | Type: 'AWS::EC2::VPC'
34 | Properties:
35 | CidrBlock: 10.0.0.0/16
36 | EnableDnsSupport: 'true'
37 | EnableDnsHostnames: 'true'
38 | Tags:
39 | - Key: Name
40 | Value: PrivateAPIBlogDemo
41 | privateSubnet01:
42 | Type: 'AWS::EC2::Subnet'
43 | Properties:
44 | VpcId: !Ref MyVPC
45 | CidrBlock: 10.0.0.0/17
46 | AvailabilityZone: !Select
47 | - '0'
48 | - !GetAZs
49 | Ref: 'AWS::Region'
50 | Tags:
51 | - Key: SubnetType
52 | Value: Private
53 | - Key: Name
54 | Value: PrivateAPIBlogDemo
55 | privateSubnet02:
56 | Type: 'AWS::EC2::Subnet'
57 | Properties:
58 | VpcId: !Ref MyVPC
59 | CidrBlock: 10.0.128.0/17
60 | AvailabilityZone: !Select
61 | - '1'
62 | - !GetAZs
63 | Ref: 'AWS::Region'
64 | Tags:
65 | - Key: SubnetType
66 | Value: Private
67 | - Key: Name
68 | Value: PrivateAPIBlogDemo
69 | ResolverSG:
70 | Type: 'AWS::EC2::SecurityGroup'
71 | Properties:
72 | VpcId: !Ref MyVPC
73 | GroupDescription: SG for Route53 Resolver endpoint
74 | Tags:
75 | - Key: Name
76 | Value: ResolverSG
77 | ResolverSGIngressTCP:
78 | Type: 'AWS::EC2::SecurityGroupIngress'
79 | Properties:
80 | IpProtocol: tcp
81 | FromPort: '53'
82 | ToPort: '53'
83 | SourcePrefixListId: !Ref OnPremisesPrefixList
84 | Description: Allows DNS access from on-premises CIDR
85 | GroupId: !GetAtt ResolverSG.GroupId
86 | ResolverSGIngressUDP:
87 | Type: 'AWS::EC2::SecurityGroupIngress'
88 | Properties:
89 | IpProtocol: udp
90 | FromPort: '53'
91 | ToPort: '53'
92 | SourcePrefixListId: !Ref OnPremisesPrefixList
93 | Description: Allows DNS access from on-premises CIDR
94 | GroupId: !GetAtt ResolverSG.GroupId
95 | ResolverSGEgressTCP:
96 | Type: 'AWS::EC2::SecurityGroupEgress'
97 | Properties:
98 | IpProtocol: tcp
99 | FromPort: '0'
100 | ToPort: '65535'
101 | DestinationPrefixListId: !Ref OnPremisesPrefixList
102 | Description: Restricts DNS responses to on-premises CIDR only
103 | GroupId: !GetAtt ResolverSG.GroupId
104 | ResolverSGEgressUDP:
105 | Type: 'AWS::EC2::SecurityGroupEgress'
106 | Properties:
107 | IpProtocol: udp
108 | FromPort: '0'
109 | ToPort: '65535'
110 | DestinationPrefixListId: !Ref OnPremisesPrefixList
111 | Description: Restricts DNS responses to on-premises CIDR only
112 | GroupId: !GetAtt ResolverSG.GroupId
113 | Route53Resolver:
114 | Type: 'AWS::Route53Resolver::ResolverEndpoint'
115 | Properties:
116 | Direction: Inbound
117 | IpAddresses:
118 | - SubnetId: !Ref privateSubnet01
119 | - SubnetId: !Ref privateSubnet02
120 | Name: MyInboundEndpoint
121 | SecurityGroupIds:
122 | - !Ref ResolverSG
123 | Tags:
124 | - Key: Name
125 | Value: PrivateAPIBlogDemo
126 | VPCEndpointSG:
127 | Type: 'AWS::EC2::SecurityGroup'
128 | Properties:
129 | VpcId: !Ref MyVPC
130 | GroupDescription: SG for API Gateway Private endpoint
131 | Tags:
132 | - Key: Name
133 | Value: VPCEndpointSG
134 | VPCEndpointSGIngress:
135 | Type: 'AWS::EC2::SecurityGroupIngress'
136 | Properties:
137 | IpProtocol: tcp
138 | FromPort: '443'
139 | ToPort: '443'
140 | SourcePrefixListId: !Ref OnPremisesPrefixList
141 | Description: Allows HTTPS access from on-premises CIDR to API Gateway endpoint
142 | GroupId: !GetAtt VPCEndpointSG.GroupId
143 | VPCEndpointSGEgress:
144 | Type: 'AWS::EC2::SecurityGroupEgress'
145 | Properties:
146 | IpProtocol: tcp
147 | FromPort: '0'
148 | ToPort: '65535'
149 | DestinationPrefixListId: !Ref OnPremisesPrefixList
150 | Description: Restricts HTTPS responses to on-premises CIDR only
151 | GroupId: !GetAtt VPCEndpointSG.GroupId
152 | APIGWVPCEndpoint:
153 | Type: 'AWS::EC2::VPCEndpoint'
154 | Properties:
155 | PolicyDocument:
156 | Version: 2012-10-17
157 | Statement:
158 | - Action: 'execute-api:Invoke'
159 | Effect: Allow
160 | Resource: !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*'
161 | Principal: '*'
162 | ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api'
163 | SubnetIds:
164 | - !Ref privateSubnet01
165 | - !Ref privateSubnet02
166 | VpcEndpointType: Interface
167 | PrivateDnsEnabled: true
168 | SecurityGroupIds:
169 | - !Ref VPCEndpointSG
170 | VpcId: !Ref MyVPC
171 | MyRestApi:
172 | Type: AWS::Serverless::Api
173 | Properties:
174 | Description: API GW Blog Demo
175 | EndpointConfiguration:
176 | Type: PRIVATE
177 | VPCEndpointIds:
178 | - !Ref APIGWVPCEndpoint
179 | Name: !Ref apiName
180 | StageName: DemoStage
181 | Auth:
182 | ResourcePolicy:
183 | IntrinsicVpceWhitelist:
184 | - !Ref APIGWVPCEndpoint
185 | HelloWorldFunction:
186 | Type: AWS::Serverless::Function
187 | Properties:
188 | CodeUri: hello_world/
189 | Handler: lambda_function.lambda_handler
190 | Runtime: python3.7
191 | Events:
192 | HelloWorldApi:
193 | Type: Api
194 | Properties:
195 | RestApiId: !Ref MyRestApi
196 | Path: /hello
197 | Method: GET
198 | Outputs:
199 | ResolverEndpoint:
200 | Description: Route53 Inbound resolver ID
201 | Value: !GetAtt Route53Resolver.ResolverEndpointId
202 | APIInvokeURL:
203 | Description: API Gateway URL, invoke with curl from on premises client.
204 | Value: !Sub 'https://${MyRestApi}.execute-api.${AWS::Region}.amazonaws.com/DemoStage/hello'
205 |
--------------------------------------------------------------------------------