How to make server endpoints private for my gamelift servers?

Question

Hi,

I have API endpoints for writing the score of players after each game from the server. So my worry is, how can I make sure only the server is authorized to invoke the api? Is a resource policy is enough for securing the endpoint with access only for the gamelift fleet or can  do a vpc pering with a vpc link> When creating vpc link for restAPI, I came to know that a load balancer is needed. But I dont have any servers to add to a target group that will be added to the NLB as my servers are gamelift managed fleet and only those servers needs to have access on the sensitive endpoints i mentioned. Any thought on bestoractices would be helpful.

Thanks

Answer

Hi,

You can create a new IAM role that all instances in the fleet will assume to access your API Gateway (_AWS Console: Create Fleet | Define fleet details | Additional details | Instance role_). See [Communicate with other AWS resources from your fleets](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html) for more details.

While creating the role you can define a policy that will allow fleet instances to communicate with the API Gateway instance. Additionally you can configure API Gateway endpoints to enforce IAM based authorization for the clients, thus all client requests to the API endpoints will have to be digitally signed with the [SigV4](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) signature. See [Control access for invoking an API](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html) and [How Amazon API Gateway works with IAM](https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html) for more details.

Regards.

How to make server endpoints private for my gamelift servers?

Relevant content