Hey folks! I'm looking for advice on how to expose an internal on-premises web service using AWS in a secure way. I want to avoid direct exposure to the internet for this service (it handles http + json and is already accessible from the web). Ideally, I'd like to implement some features like throttle limiting per client IP while keeping things straightforward.
The plan is to use AWS as a reverse proxy, so clients would send requests to AWS, which would then forward them to the on-prem server. I can whitelist an Elastic IP from AWS through the on-prem firewall, blocking everything else from the internet.
I'm considering options like CloudFront or API Gateway for implementation. CloudFront looks promising, especially when integrated with AWS WAF for rate limiting, but the cost for a static IP through anycast is pretty steep. API Gateway might work too, but does it support static IPs? Alternatively, I thought about using a network load balancer (NLB) – are those capable of throttle limiting? Any thoughts on the best approach based on these ideas would be greatly appreciated!
3 Answers
If you're comfortable with SSH and port forwarding, one way to go is to use an ALB pointing to a small EC2 instance running HAProxy. The public URL from the ALB can forward requests to your EC2 instance, which has a public IP. The on-premises setup can create an outbound SSH tunnel to this instance for secure access without exposing the on-prem environment. You can replace HAProxy with other port forwarding techniques if needed, and it works great with ALB and WAF for added security.
I recommend using API Gateway along with a NLB over a secure connection like Direct Connect or a VPN. The API Gateway can help you manage inbound traffic with API keys for better control, while NLB allows for load balancing across your servers. This setup keeps costs manageable and leverages native AWS services effectively.
That’s a solid idea! I’ll look into setting up an IPSEC tunnel to the VPC, sounds like a good plan.
For static IP traffic, you can create a setup with CloudFront leading to a public NLB and then to your on-prem server. You can attach a security group to the NLB and allow only traffic from CloudFront's prefix list. If static IPs are necessary, consider using Global Accelerator in conjunction with an Application Load Balancer (ALB) for that purpose. If you prefer more control, CloudFront with an EC2 origin is also an option, but might not be as managed as others.
Thanks for the insight! I appreciate the focus on managed services; I want to keep it as simple as possible.
Thanks for the suggestion! I might set up a small EC2 instance as a reverse proxy instead of going all out with custom configurations.