1. Answers
  2. Applying IP address-based whitelisting on API Gateway

How do I apply IP address-based whitelisting on API Gateway?

To whitelist IP addresses on an API Gateway, you need to restrict access in a controlled manner. Here, we’ll use an API Gateway resource with a method that applies an IP address whitelist.

Explanation

We’ll create the following resources:

  1. API Gateway Rest API: This is where our API is defined.
  2. Resource: Represents a resource within the API Gateway.
  3. Method: Defines the method for the resource (e.g., GET) and includes the IP whitelisting.
  4. Gateway Response: Customizes responses for unauthorized access.
  5. Deployment: Deploys the API.
  6. Stage: Specifies the stage of the deployment (e.g., production).

The core link between the IP whitelisting and API Gateway is the use of an AWS::ApiGateway::Method resource with an AWS::ApiGateway::MethodResponse to model the policies that enforce IP restrictions.

Program

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a new API Gateway Rest API
const myApi = new aws.apigateway.RestApi("my_api", {
    name: "MyAPI",
    description: "API with IP whitelisting",
});
// Create a resource in the API
const myResource = new aws.apigateway.Resource("my_resource", {
    restApi: myApi.id,
    parentId: myApi.rootResourceId,
    pathPart: "myresource",
});
// Create a method with IP whitelisting applied
const myMethod = new aws.apigateway.Method("my_method", {
    restApi: myApi.id,
    resourceId: myResource.id,
    httpMethod: "GET",
    authorization: "NONE",
    requestParameters: {
        "method.request.header.X-Forwarded-For": false,
    },
});
// IP whitelist example
const whitelistIp = new aws.apigateway.MethodResponse("whitelist_ip", {
    restApi: myApi.id,
    resourceId: myResource.id,
    httpMethod: myMethod.httpMethod,
    statusCode: "200",
});
const gatewayResponse = new aws.apigateway.Response("gateway_response", {
    restApiId: myApi.id,
    responseType: "UNAUTHORIZED",
    responseParameters: {
        "gatewayresponse.header.Access-Control-Allow-Origin": "'*'",
    },
});
// Allow only specific IPs using API Gateway Resource Policy
const myApiPolicy = new aws.apigateway.RestApiPolicy("my_api_policy", {
    restApiId: myApi.id,
    policy: pulumi.interpolate`{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:${myApi.id}/*/*/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": ["192.168.100.1/32", "203.0.113.0/24"]
        }
      }
    }
  ]
}
`,
});
// Deploy the API
const myDeployment = new aws.apigateway.Deployment("my_deployment", {
    restApi: myApi.id,
    stageName: "prod",
}, {
    dependsOn: [myMethod],
});
// Create stages in deployment
const myStage = new aws.apigateway.Stage("my_stage", {
    restApi: myApi.id,
    deployment: myDeployment.id,
    stageName: "prod",
});

Summary

This example demonstrates creating an API Gateway with IP address-based whitelisting. We defined a Rest API, resource, and method, added whitelisting policies using resource policies, and deployed the API. This setup ensures that only requests from the specified IP addresses are allowed to access the API endpoint.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up