DEV Community

Binh Bui for AWS Community Builders

Posted on • Originally published at codewithyou.com

Amazon API Gateway integration with AWS WAF

Amazon API Gateway integration with AWS WAF

Amazon API Gateway integration with AWS WAF

Introduction

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.

Amazon API Gateway supports several types of integrations with AWS services and third-party services. In this post, we will focus on the integration with AWS WAF. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Why use Amazon API Gateway integration with AWS WAF?

Amazon API Gateway integration with AWS WAF is a great way to protect your APIs from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your APIs by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Demo - Amazon API Gateway integration with AWS WAF by using AWS CDK

In this demo, we will create an API Gateway API with a single GET method that will return a JSON response. We will then create a WAF rule that will block requests from a specific IP address. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

Create an API Gateway API

First, we will create an API Gateway API with a single GET method that will return a JSON response. We will use the AWS CDK to create the API Gateway API.

// lambda function
const testFn = new NodejsFunction(this, 'MyFunction', {
  entry: './function/index.ts',
  runtime: lambda.Runtime.NODEJS_18_X,
  handler: 'main',
  bundling: {
    externalModules: ['aws-sdk'],
    minify: true,
  },
})

// api gateway, this is just for testing
const api = new apigateway.LambdaRestApi(this, 'test-api', {
  handler: testFn,
  deployOptions: {
    stageName: 'test',
  },
})
Enter fullscreen mode Exit fullscreen mode

Create a WAF ACL and WAF Rule

Next, we will create a WAF ACL and a WAF Rule allowing only requests from a specific location. We will use the AWS CDK to create the WAF ACL and WAF Rule.

const webACL = new wafv2.CfnWebACL(this, 'webACL', {
  name: 'webACL',
  description: 'This is WebACL for Auth APi Gateway',
  scope: 'REGIONAL', // or CLOUDFRONT for CloudFront
  defaultAction: { block: {} }, // default action is block all request
  visibilityConfig: {
    cloudWatchMetricsEnabled: true,
    metricName: 'webACL', // metric name for CloudWatch
    sampledRequestsEnabled: true,
  },

  rules: [
    {
      name: `demo-api-auth-gateway-geolocation-rule`,
      priority: 30,
      action: { allow: {} },
      visibilityConfig: {
        metricName: `demo-AuthAPIGeoLocation`,
        cloudWatchMetricsEnabled: true,
        sampledRequestsEnabled: false,
      },
      statement: {
        geoMatchStatement: {
          countryCodes: ['US', 'VN'], // allow US and VN IP. You can add more country codes
        },
      },
    },
  ],
})
Enter fullscreen mode Exit fullscreen mode

This will create a WAF ACL with a single WAF Rule allowing only requests from a specific location(US and VN). We will then associate the WAF ACL with the API Gateway API.

// Web ACL Association
const webACLAssociation = new wafv2.CfnWebACLAssociation(this, 'webACLAssociation', {
  webAclArn: webACL.attrArn, // Web ACL ARN from above
  // For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
  resourceArn: Fn.join('', [
    'arn:aws:apigateway:', // service
    Stack.of(this).region, // region
    '::/restapis/', // resource type
    api.restApiId, // api id
    '/stages/', // resource type
    api.deploymentStage.stageName, // stage name
  ]),
})

// make sure api gateway is deployed before web ACL association
webACLAssociation.node.addDependency(api)
Enter fullscreen mode Exit fullscreen mode

This will associate the WAF ACL with the API Gateway API. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

The code for this demo is available on GitHub. You can deploy the demo by running the following commands.

git clone
cd apig-waf-cdk
yarn install
yarn deploy
Enter fullscreen mode Exit fullscreen mode

Testing the API

After deploying the demo, we will test the API. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test
Enter fullscreen mode Exit fullscreen mode

The response should be similar to the following.

{
  "message": "Hello from Lambda!"
}
Enter fullscreen mode Exit fullscreen mode

Now, we will remove 'VN'(or your country code) from the WAF Rule and test the API again. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test
Enter fullscreen mode Exit fullscreen mode

The response should be similar to the following.

{
  "message": "Forbidden"
}
Enter fullscreen mode Exit fullscreen mode

The request is blocked because the request is from a location that is not allowed by the WAF Rule.

Conclusion

In this post, we have seen how to use Amazon API Gateway integration with AWS WAF by using AWS CDK. We have also seen how to test the API to see that the request is blocked.

The source code for this demo is available on GitHub.

That's all for now. Thanks for reading. If you have any questions or comments, please leave them below. I will try to answer them as soon as possible.

References

Top comments (0)