Limit access to lambda or api gateway to a specific vpc


is it possible to make an api gateway or lambda function accessible only by a specific vpc.

I searched in amazon doc, but I didn’t find anything about this subject.

Thank you in advance


Unfortunately, you won’t be able to do that (See update below).

s3 is the service which provides that kind of control access through Bucket policies.

What you can do is grant permissions to your callers (Lambda invoker and API caller).

Take a look at these resources:

UPDATE: Important comment from Michael – sqlbot

You might point out that the underlying reason why this isn’t possible is that both the Lambda service API and API Gateway are accessed from the Internet, which means the VPC identity of the caller is lost — however, the VPC can be identified indirectly by the EIPs of its NAT Gateways, which should be usable against the aws:sourceIp IAM policy condition key, indirectly restricting access to any machine behind those EIPs, thus only in the VPC. Maybe it’s a hack, maybe it’s a workaround.

Update 11/08/2018

Introducing Amazon API Gateway Private Endpoints

One of the biggest trends in application development today is the use of APIs to power the backend technologies supporting a product. Increasingly, the way mobile, IoT, web applications, or internal services talk to each other and to application frontends is using some API interface.

Alongside this trend of building API-powered applications is the move to a microservices application design pattern. A larger application is represented by many smaller application components, also typically communicating via API. The growth of APIs and microservices being used together is driven across all sorts of companies, from startups up through enterprises. The number of tools required to manage APIs at scale, securely, and with minimal operational overhead is growing as well.

Today, we’re excited to announce the launch of Amazon API Gateway private endpoints. This has been one of the most heavily requested features for this service. We believe this is going to make creating and managing private APIs even easier.

Private endpoints

Today’s launch solves one of the missing pieces of the puzzle, which is the ability to have private API endpoints inside your own VPC. With this new feature, you can still use API Gateway features, while securely exposing REST APIs only to the other services and resources inside your VPC, or those connected via Direct Connect to your own data centers.

enter image description here

Here’s how this works.

API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.

API Gateway as a fully managed service runs its infrastructure in its own VPCs. When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.

enter image description here

Leave a Reply