Amazon API Gateway Mutual TLS with DEMO | Custom Domain vs. Custom Domain Mutual TLS (mTLS)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys and girls raj here back with another video in this video we are going to discuss another brand new feature of api gateway which is used a lot in real world projects but not in your practice projects custom domain mutual tls for api gateway so first we'll start with what is the difference between invoking an api using a vanilla endpoint versus invoking it with custom domain versus using mutual tls then we'll go over a mutual tls design flow and steps and as always we will have a demo to see our learnings in action so when you deploy an api in api gateway api gateway gives you a invocation url and if you invoke using that url there is no certificate validation it's still https communication but there is no validation of the client to server or server to client what do i mean by that is let's say all your api calls is supposed to come from let's say www.google.com but since there is no certificate validations anyone or any domain can call this api and it will get executed and of course on top you can add authentication with cognito but even then there is no certificate validation now moving to custom domain this feature is used extensively in real-world scenario so when you deploy a api in api gateway it gives you this a cryptic url and if you change something down the line the url will change so the problem in real enterprise applications is if the api url is changing you don't want to go and change all the applications that invoking the api right because if you invoke the api using this url if it changes all the applications that's calling these urls needs to go change their code or some parameter somewhere going further let's say today you are using an api gateway for the api maybe tomorrow you want to move away from amazon api gateway to another api platform or maybe you want to move to container and expose it using a load balancer with this invoke url using this raw invoke url you have to keep changing the url instead with custom domain you create a dns name so in this case let's say https agent of change.net and then slash my first lambda something or maybe slash get slash put and this custom domain will point to this invocation url and even if you change down the line let's say this api changes or you remove this api gateway put container the all the calling application can still keep calling to this custom domain the backend will just keep pointing this domain to different backend url so if you implement a load balancer pointing to eks you can just point this dns to that load balancer url and that would start working and since we have a dns name anytime there is a dns involved there is a certificate so this is also https communication but now client validates the server so anytime a user using a browser or an application invokes this api amazon api gateway will send the certificate for this custom domain to the client and the client will validate it under the hood however in this case server does not validate client so the client who is calling the api is validating the server but this amazon api gateway is not validating who is calling it so if again going back to that example if you are only expecting the api to be invoked from www.google.com api gateway is not validating it so i actually have a detailed video on custom domain i go detail into the design flow along with the demo so check out that video if you want to learn about that but moving on to custom domain with mutual tls the in this case https communication client validate server server validates client as well so in this case api gateway will pass the certificate to the client client will also pass a certificate to api gateway if api gateway will validate if it is coming from a particular client let's say www.google.com if it is not it will reject it so when do you use it this is generally used for business to business or server to server communication this is not used over a regular thin client communication if you just have api endpoint and custom domain that's generally enough to call over any url or browser but if you need the api gateway to validate the server the client which is acting as a server as well then you do this custom domain mutual tls so this is gaining a lot of popularity especially like i said for server to server communication as an extra layer of validation so how does the flow look like with custom domain with mutual tls so we have this dns https colon lambda api.com we assume it is a root 53 domain and we have a dns entry for this in route 53 so any traffic coming into this https lambda api.com will be routed to api gateway and api gateway will route those traffic to the api endpoint since we have a custom domain we have a certificate for this domain saved in amazon certificate manager in addition we will also have a client certification so in this case client will be another let's say another server which has a certificate they will save like the api gateway has to save the root certificate that it is going to validate the client certificate against uh so in this case we are saving the certificate to the root certificate in a s3 bucket so if you are wondering why in this case for the custom domain we are using certificate manager but for the client we are using s3 it's because in aws if you want to generate a certificate using certificate manager you have to store it in the certificate manager but since the client certificate is not generated using certificate manager it can be saved in s3 so when the api gets invoked api gateway sends this custom domain certificate to the client client sends the certificate to api gateway api gateway validates this certificate against the stored root certificate and if everything is good the call is approved all right so let's see this in action with a demo just couple of things to keep in mind if you are following me in this demo uh amazon certificate manager can be expensive dollar 400 per private certificate after free tier expires you can save any public certificate those are very minimal charge but for private certificates 400 bucks after a month and then there are a lot of steps involved so you can choose to follow me or just watch online all right with that being said let's jump into the demo for this demo i'm going to use this blog from aws all right so let's open my trusty visual studio code as well i have the instructions and visual studio code side by side okay first actually i'm going to create a new directory api open ssl then i'm going to go to that directory and then run these two commands for these commands you will be asked to input uh some of the parameters like country name state name etc okay you can give values that's applicable for you all right so if i do ls we should see the root certificate created so once the ca certificates are created uh we can create the client certificate for use with authentication so to generate that again i'm just gonna [Music] copy this paste it here copy this command paste it here okay i'm just gonna type the defaults i'll keep this challenge password empty all right now we'll sign the newly created client side by using the scientific certificate authority that we previously created okay so if i do ls now you can see i have five files in my directory so next we are going to prepare a pem encoded truster file for all certificate authority public keys that we want to use with mutual tls we are just using a single root certificate authority okay so i'm just going to copy this root certificate authority to this trustor dot pm okay next we are going to upload this trustor file to a amazon s3 bucket okay so first we are creating a new bucket so we're gonna change the region in my case i'm using us os 2. i'm just gonna put agent of change see a trusted okay then we are going to enable versioning i'm gonna put the name of the bucket all right fashioning is enabled and finally i'm going to copy this trustor.pm file from my local directory to this s3 all right it's copied so it completed the upload so now we are going to api gateway console okay so at this point we already have a custom domain created uh so again if you want to know how to create a custom domain and link it to your api so please watch my other video i'll give a link up top so let's click our agent of change.net so they want us to test it before they put mutual tls uh so our domain name is as agent of change.net okay so i ran this agent.change.net slash my first lambda so it works it calls the api using the custom domain url name note that when i'm just calling using this custom domain in this case i'm not passing any certificate and the only reason is is working because we haven't enabled a mutual tls yet and we'll run the same test after we enable it and that time if we do not pass the certificate it should fail okay going back to api gateway okay i'm just gonna make this a little bigger so it's a little easier to see okay i'm just gonna flip back and forth at this point because difficult to see in api gateway because of the layout okay so going back to api gateway under the domain details we click edit and here we select mutual tls authentication trust or uri you have to give the s3 bucket so in our case we are just going to copy this thing from the visual studio code and then put it here okay click save okay it says that default endpoint so basically if the default endpoint is enabled so your customers can call this api using this custom domain but also using the api endpoint that api gateway creates for you and that default api gateway created in woken point does not require you to pass mutual taylor certificates so you the recommendation is you should disable the default gateway endpoint here is our api so you can see default endpoint is enabled click edit and then default endpoint click disabled click save so let's do this let's first call the actual api endpoint and this is the default endpoint so this should not work so let's see uh what happens so i'm gonna right click open link in new window it says message not found so this is good so now we are going to call our custom domain so now before we actually call with the certificate if you don't do a mutual tls you then you do not have to pass a certificate right because the server is not trying to validate the client so if we did not have this mutual tls and if we call the custom domain it would work as i showed before however if we do the same thing agent of change.net slash my first lambda this should fail now because we enabled mutual tls and we are not passing any certificate with this call so now you can see the message forbidden so now we are going to pass the certificate and then that should work okay going back to visual studio code make this bigger okay and our api name is agent of change.net slash my first lambda all right let's try it out here we go now it works because now we are passing the start key so again if we go back delete these two and run the curl this will give a error so this will be equivalent to just calling it from the website uh just pasting the custom domain in the url and try to run it all right guys and girls that's the video uh if you like this video if you found this video useful uh please click that big fat like button and subscribe that will help this channel grow and i also have couple of courses in udemy on serverless which covers lectures like this and much more check them out if you're interested and with that being said i'll see you guys and girls in the next video bye

Info

Channel: Cloud With Raj

Views: 6,103

Rating: undefined out of 5

Keywords:

Id: qdVuWxWzBLw

Channel Id: undefined

Length: 16min 32sec (992 seconds)

Published: Wed Jan 13 2021