https://serverless-stack.com/ logo
#help
Title
# help
s

Stiofán Ó Lorcáin

04/19/2022, 7:32 AM
Hey everyone, I'm trying to create a basic serverless-stack and I'm struggling with limiting access to my company's vpc. It's just an appsync api connected to a lambda get function that reads from a dynamodb. The lambda has the right VPC subnets which I'm setting in the appsync's
defaultFunctionProps
prop. But I'm not sure if this is restricting the appsync api to the VPC as well. Does anyone know if I need to apply the VPC config to the appsync as well? And if so, does anyone know how to do this?
f

Frank

04/19/2022, 3:36 PM
Hey @Stiofán Ó Lorcáin, just to clarify, are you looking to have the AppSync API endpoint only accessible from within a VPC?
s

Stiofán Ó Lorcáin

04/19/2022, 3:37 PM
Yes. It will only be used internally
f

Frank

04/19/2022, 3:40 PM
afaik there isn’t such concept of deploying an AppSync API “in a VPC”.
An AppSync api is always globally accessible, but u can protect it by adding auth
If you look at the
Using AWS WAF to protect APIs
option, u might be able to limit access from within an VPC.
And just to throw some ideas out, you could also try using the
AWS_LAMBDA Authorization
option to do some custom checks? Would checking request IP work?
s

Stiofán Ó Lorcáin

04/19/2022, 3:48 PM
Thanks @Frank. I think I saw that you can use Appsync to access VPC restricted resource and assumed you could limit Appsync to the VPC. I'll investigate both of your suggestions. I think the Lambda solution is possible but will need to double check.
Just as a follow up, this limitation is Appsync specific and not Graphql. So it would be possible to change over to an apollo server running in a lambda and restrict that to the VPC?
f

Frank

04/19/2022, 5:08 PM
AWS API Gateway has two restful api services: REST API and HTTP API (yes the naming is very confusing lol)
REST API is more feature rich, but cost a bit more and is a bit slower. It can create private APIs https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.html
HTTP API does not support private APIs.
As a side note, the
GraphQLApi
construct uses HTTP API behind the scene. If you’d like to use REST API, you’d want to use the
ApiGatewayV1Api
construct.
Let me know if that makes sense.
s

Stiofán Ó Lorcáin

04/20/2022, 12:45 PM
Yes, this makes sense thank you 🙂 I'm now discussing with my team how we will proceed but I think we'll be able to find a good solution for everything you've provided 😄
4 Views