How do I apply IP address-based whitelisting on API Gateway?
To whitelist IP addresses on an API Gateway, you need to restrict access in a controlled manner. Here, we’ll use an API Gateway resource with a method that applies an IP address whitelist.
Explanation
We’ll create the following resources:
- API Gateway Rest API: This is where our API is defined.
- Resource: Represents a resource within the API Gateway.
- Method: Defines the method for the resource (e.g., GET) and includes the IP whitelisting.
- Gateway Response: Customizes responses for unauthorized access.
- Deployment: Deploys the API.
- Stage: Specifies the stage of the deployment (e.g., production).
The core link between the IP whitelisting and API Gateway is the use of an AWS::ApiGateway::Method
resource with an AWS::ApiGateway::MethodResponse
to model the policies that enforce IP restrictions.
Program
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a new API Gateway Rest API
const myApi = new aws.apigateway.RestApi("my_api", {
name: "MyAPI",
description: "API with IP whitelisting",
});
// Create a resource in the API
const myResource = new aws.apigateway.Resource("my_resource", {
restApi: myApi.id,
parentId: myApi.rootResourceId,
pathPart: "myresource",
});
// Create a method with IP whitelisting applied
const myMethod = new aws.apigateway.Method("my_method", {
restApi: myApi.id,
resourceId: myResource.id,
httpMethod: "GET",
authorization: "NONE",
requestParameters: {
"method.request.header.X-Forwarded-For": false,
},
});
// IP whitelist example
const whitelistIp = new aws.apigateway.MethodResponse("whitelist_ip", {
restApi: myApi.id,
resourceId: myResource.id,
httpMethod: myMethod.httpMethod,
statusCode: "200",
});
const gatewayResponse = new aws.apigateway.Response("gateway_response", {
restApiId: myApi.id,
responseType: "UNAUTHORIZED",
responseParameters: {
"gatewayresponse.header.Access-Control-Allow-Origin": "'*'",
},
});
// Allow only specific IPs using API Gateway Resource Policy
const myApiPolicy = new aws.apigateway.RestApiPolicy("my_api_policy", {
restApiId: myApi.id,
policy: pulumi.interpolate`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:${myApi.id}/*/*/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["192.168.100.1/32", "203.0.113.0/24"]
}
}
}
]
}
`,
});
// Deploy the API
const myDeployment = new aws.apigateway.Deployment("my_deployment", {
restApi: myApi.id,
stageName: "prod",
}, {
dependsOn: [myMethod],
});
// Create stages in deployment
const myStage = new aws.apigateway.Stage("my_stage", {
restApi: myApi.id,
deployment: myDeployment.id,
stageName: "prod",
});
Summary
This example demonstrates creating an API Gateway with IP address-based whitelisting. We defined a Rest API, resource, and method, added whitelisting policies using resource policies, and deployed the API. This setup ensures that only requests from the specified IP addresses are allowed to access the API endpoint.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.