Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I allow only specific IP addresses to access my API Gateway REST API?

4 minute read
1

I want to allow only specific IP addresses access to my Amazon API Gateway REST API.

Short description

To allow only specific IP addresses to access your REST API, create a resource policy that denies access to all other IP addresses.

After you attach the resource policy to your REST API, users with permissions can call the API from specified IP addresses. Your API denies calls from any other IP addresses and shows an "HTTP 403 Forbidden" error.

To block specific IP addresses and allow access to all others, see Example: Deny API traffic based on source IP address or range.

Note: You can use resource policies for API Gateway HTTP APIs.

Resolution

Set up an API method

To test access, use your existing API Gateway REST API or create an example REST API. If you use the PetStore example API, then proceed to Create and attach a resource policy.

To create a mock integration for your existing REST API, complete the following steps:

  1. Open the API Gateway console.
  2. Choose your REST API.
  3. In the Resources pane, under Methods, choose Create method.
  4. For Method type, select ANY.
  5. For Integration type, choose Mock.
    Note: The mock integration responds to any request that reaches it.
  6. Choose Create method.

Create and attach the resource policy

Complete the following steps:

  1. Open the API Gateway console.
  2. Choose your REST API.
  3. In the navigation pane, choose Resource policy.
  4. Choose Create policy.
  5. For Resource policy, enter the following resource policy: 
    {  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": ["sourceIpOrCIDRBlock", "sourceIpOrCIDRBlock"]
        }
      }
    }
  ]
}
    Note: Replace sourceIpOrCIDRBlock with the IP addresses that you want to grant access to. Use a CIDR notation to specify a range of IP addresses, such as ["52.95.36.0/22", "15.230.39.196/31", "52.93.178.219/32"]. The aws:SourceIp condition works only for public IP address ranges. To allow access to private IP address ranges, use the aws:VpcSourceIp condition. For aws:VpcSourceIp, enter the private IP address of the HTTP client that invokes your private API endpoint through the interface virtual private cloud (VPC) endpoint. You can invoke private API endpoints in API Gateway only through an interface VPC endpoint.
  6. Choose Save changes.

To find the private IP addresses that call your REST API, check the Amazon CloudWatch Logs. For more information, see Tutorial: View CloudWatch Logs.

Deploy your API

Complete the following steps:

  1. Open the API Gateway console.
  2. Choose your REST API.
  3. In the Resources pane of your REST API, choose Deploy API.
  4. For Deployment stage, choose New stage.
  5. For Stage name, enter a name. For example, enter v1 or demo.
  6. Choose Deploy.

Important: You must redeploy your REST API each time that you change its resource policy.

Test the resource policy

Based on your operating system (OS), run one of the following commands to test an environment with an allowed IP address.

Linux, Unix, and macOS environments:

curl -IX GET https://yourInvokeUrl/

Windows PowerShell:

curl https://yourInvokeUrl/

Note: Replace https://yourInvokeUrl/ with your REST API's invoke URL.

If you correctly configured the resource policy, then the allowed environment receives an "HTTP 200 OK" response. Rerun the same command from an environment without an allowed IP address. A denied environment must receive an "HTTP 403 Forbidden" error.

To test your resource policy, you can also use the Postman app on the Postman website.

Note: If you don't have access to multiple environments, then launch an Amazon Elastic Compute Cloud (Amazon EC2) instance. Then, add the instance's IP address to your API's resource policy and redeploy your API.

Related information

Create and attach an API Gateway resource policy to an API

API Gateway resource policy examples

Access policy language overview for Amazon API Gateway

Control and manage access to REST APIs in API Gateway

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English

Related videos

Watch Rajesh's video to learn more (3:04)
Watch Rajesh's video to learn more (3:04)
AWS OFFICIALUpdated 3 months ago
3 Comments

I was able to restrict the API Gateway access to VPN using the customer resource policy -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "52.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:{REGION}:{AWS_ACCOUNT}:{YOUR_API_ID}/{YOUR_API_STAGE}/OPTIONS/*"
    }
  ]
}
replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Is this solution only working with a private api or it is also working with a regional api?

replied 9 months ago

Relevant content