How to create IP-protected endpoints with API Gateway and Lambda

Check out my new course Learn you some Lambda best practice for great good! and learn the best practices for performance, cost, security, resilience, observability and scalability.

If you haven’t been paying close attention you might have missed the API Gateway announcement for resource policies. It later played a key role in supporting API Gateway private endpoints – a way to put your API inside a private VPC.

To configure resource policies with the Serverless framework, you need to upgrade to v1.28.0 or later. If you want to restrict access to the GET /index.html endpoint to the IP 217.128.123.174, you need the following.

provider:
  name: aws
  runtime: nodejs8.10
  resourcePolicy:
    - Effect: Allow
      Principal: "*"
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/GET/index.html
      Condition:
        IpAddress:
          aws:SourceIp:
            - 217.128.123.174

Nice and easy!

There are a couple of things to note:

  • You can implement IP blacklisting by changing Effect to Deny.
  • If you change the resource policy in the API Gateway console, it won’t take effect until you deploy the API. No such worries with the serverless framework, as sls deploy would deploy the API for you as part of the CloudFormation update.
  • You can mix IP and IAM conditions for different endpoints in the same API. But, IP and IAM conditions don’t work for a private API, which is not publicly accessible and is required for VPC private endpoints.
  • When you access the API from EC2 or ECS, you need to whitelist the public IP of the instance, or the NAT Gateway if the instance is not associated with a public IP.

After you set up IP whitelisting on the endpoint, you will get an error like this if you attempt to access it from an IP that has not been whitelisted.

{
  "Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********3770:io75qg1rvf/test/GET/index.html"
}
Liked this article? Support me on Patreon and get direct help from me via a private Slack channel or 1-2-1 mentoring.
Subscribe to my newsletter


Hi, I’m Yan. I’m an AWS Serverless Hero and the author of Production-Ready Serverless.

I specialise in rapidly transitioning teams to serverless and building production-ready services on AWS.

Are you struggling with serverless or need guidance on best practices? Do you want someone to review your architecture and help you avoid costly mistakes down the line? Whatever the case, I’m here to help.

Hire me.


Check out my new podcast Real-World Serverless where I talk with engineers who are building amazing things with serverless technologies and discuss the real-world use cases and challenges they face. If you’re interested in what people are actually doing with serverless and what it’s really like to be working with serverless day-to-day, then this is the podcast for you.


Check out my new course, Learn you some Lambda best practice for great good! In this course, you will learn best practices for working with AWS Lambda in terms of performance, cost, security, scalability, resilience and observability. We will also cover latest features from re:Invent 2019 such as Provisioned Concurrency and Lambda Destinations. Enrol now and start learning!


Check out my video course, Complete Guide to AWS Step Functions. In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. There is something for everyone from beginners to more advanced users looking for design patterns and best practices. Enrol now and start learning!


Are you working with Serverless and looking for expert training to level-up your skills? Or are you looking for a solid foundation to start from? Look no further, register for my Production-Ready Serverless workshop to learn how to build production-grade Serverless applications!

Find a workshop near you