Amazon API Gateway integration with AWS WAF

Introduction

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a front door for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.

Amazon API Gateway supports several types of integrations with AWS services and third-party services. In this post, we will focus on the integration with AWS WAF. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Why use Amazon API Gateway integration with AWS WAF?

Amazon API Gateway integration with AWS WAF is a great way to protect your APIs from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your APIs by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Demo - Amazon API Gateway integration with AWS WAF by using AWS CDK

In this demo, we will create an API Gateway API with a single GET method that will return a JSON response. We will then create a WAF rule that will block requests from a specific IP address. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

Create an API Gateway API

First, we will create an API Gateway API with a single GET method that will return a JSON response. We will use the AWS CDK to create the API Gateway API.

// lambda functionconst testFn = new NodejsFunction(this, 'MyFunction', {  entry: './function/index.ts',  runtime: lambda.Runtime.NODEJS_18_X,  handler: 'main',  bundling: {    externalModules: ['aws-sdk'],    minify: true,  },})// api gateway, this is just for testingconst api = new apigateway.LambdaRestApi(this, 'test-api', {  handler: testFn,  deployOptions: {    stageName: 'test',  },})

Create a WAF ACL and WAF Rule

Next, we will create a WAF ACL and a WAF Rule allowing only requests from a specific location. We will use the AWS CDK to create the WAF ACL and WAF Rule.

const webACL = new wafv2.CfnWebACL(this, 'webACL', {  name: 'webACL',  description: 'This is WebACL for Auth APi Gateway',  scope: 'REGIONAL', // or CLOUDFRONT for CloudFront  defaultAction: { block: {} }, // default action is block all request  visibilityConfig: {    cloudWatchMetricsEnabled: true,    metricName: 'webACL', // metric name for CloudWatch    sampledRequestsEnabled: true,  },  rules: [    {      name: `demo-api-auth-gateway-geolocation-rule`,      priority: 30,      action: { allow: {} },      visibilityConfig: {        metricName: `demo-AuthAPIGeoLocation`,        cloudWatchMetricsEnabled: true,        sampledRequestsEnabled: false,      },      statement: {        geoMatchStatement: {          countryCodes: ['US', 'VN'], // allow US and VN IP. You can add more country codes        },      },    },  ],})

This will create a WAF ACL with a single WAF Rule allowing only requests from a specific location(US and VN). We will then associate the WAF ACL with the API Gateway API.

// Web ACL Associationconst webACLAssociation = new wafv2.CfnWebACLAssociation(this, 'webACLAssociation', {  webAclArn: webACL.attrArn, // Web ACL ARN from above  // For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name  resourceArn: Fn.join('', [    'arn:aws:apigateway:', // service    Stack.of(this).region, // region    '::/restapis/', // resource type    api.restApiId, // api id    '/stages/', // resource type    api.deploymentStage.stageName, // stage name  ]),})// make sure api gateway is deployed before web ACL associationwebACLAssociation.node.addDependency(api)

This will associate the WAF ACL with the API Gateway API. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

The code for this demo is available on GitHub. You can deploy the demo by running the following commands.

git clonecd apig-waf-cdkyarn installyarn deploy

Testing the API

After deploying the demo, we will test the API. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test

The response should be similar to the following.

{  "message": "Hello from Lambda!"}

Now, we will remove 'VN'(or your country code) from the WAF Rule and test the API again. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test

The response should be similar to the following.

{  "message": "Forbidden"}

The request is blocked because the request is from a location that is not allowed by the WAF Rule.

Conclusion

In this post, we have seen how to use Amazon API Gateway integration with AWS WAF by using AWS CDK. We have also seen how to test the API to see that the request is blocked.

The source code for this demo is available on GitHub.

That's all for now. Thanks for reading. If you have any questions or comments, please leave them below. I will try to answer them as soon as possible.

References

• AWS WAF Developer Guide
• AWS WAF API Reference
• AWS CDK