The section will talk about how to use Okta as the authorizer to protect AWS private rest API. To achieve that, there will be several steps involved:

1. Create and Configure EC2 2. Create and Configure VPC Endpoint 3. Create and config API Gateway 4. Configuration in DCMC And we will cover each step in details below.

# Create and Configure EC2

Go To EC2 homepage (opens new window). Select Instances tab and click Launch instances: launch instances We use Centos 8 provided by AWS as an example: choose AMI For Instance Type, Instance Details, Storage, and tags, leave the default settings: choose instance type configure instance details add storage add storage Create a new security group and add type HTTPS, click Review and Launch: configure security group Check the configuration and click Launch: review instance launch Download the key pair and click Launch instance: download key pair Note down the VPC ID and Public IPv4 DNS for the following configuration after launching the instance: instance info Now, you can ssh to the EC2 with the downloaded key pair:

ssh -i ~/your-downloaded-key-pair-path/key-pair.pem centos@<your-ec2-ip>

Before continuing, you need to install docker (opens new window) and docker-compose (opens new window) in this EC2.

# Create and Configure VPC Endpoint

Go To VPC homepage (opens new window). Select Endpoints tab and click Create Endpoint: endpoints For Service category, choose AWS services. For Service Name, choose com.amazonaws.<region name>.execute-api. create endpoint For VPC, choose the Amazon VPC where you want to create the interface endpoint. For Subnets, select the subnets (opens new window) in which you want to create the endpoint network interfaces. We can keep both of them to default values in our tutorial. For Enable DNS name, keep the Enable for this endpoint check box selected to enable private DNS (opens new window) for the interface endpoint. With private DNS enabled, you can connect to your private API (opens new window) using private or public DNS. Note: When you enable private DNS for an interface VPC endpoint, you can no longer access API Gateway public APIs from your Amazon VPC. For more information, see Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC? (opens new window) 1 (opens new window) create endpoint For Security group, select at least one security group (opens new window) to associate with the endpoint network interfaces. The security group that you choose must have a rule that allows TCP Port 443 inbound HTTPS traffic (opens new window) from either an IP address range in your Amazon VPC or another security group in your Amazon VPC. If you don't have a security group that meets those requirements, choose Create a new security group to create a security group (opens new window). If you don't specify a security group, a default security group (opens new window) is associated with the endpoint network interfaces. 1 (opens new window) For Policy, choose Full Access. create endpoint Click Create endpoint.

# Create and config API Gateway

Go to API Gateway homepage (opens new window). Click create API: api gateway Build a private REST API that cannot be accessed directly: build private api You can also change the existing API to private in SettingsEndpoint Configuration: api settings We use the example API for testing purposes and click import: example api Select Resource Policy tab and use Source VPC Allowlist as the example: resource policy Replace the vpcID with the real VPC ID that you noted down after creating the EC2. It should be like "aws:sourceVpc": "vpc-12345678". You can also find it in the Endpoints: api endpoints For testing purposes, we set the resource to wildcard. And the policy should be like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "execute-api:/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-12345678"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "execute-api:/*/*/*"
        }
    ]
}

Click Save. In the left navigation pane of the API Gateway console, under your API, choose Resources. On the Resources pane, choose Actions, and then choose Deploy API: deploy api Create a new stage called test and click Deploy: deploy api to stage Now, the private REST API URL should be shown. Note it down: private rest api url

# Configuration in DCMC

Go to DCMC homepage (opens new window). Click Get started: get started Input Deployment name: deployment name Input Provisioning Key name: provisioning key For Application configuration: application Select API as Platform. Set EC2 Public IPv4 DNS we noted after creating the EC2 as Public Domain. ec2 info Set Listen Port to 443 or you can click sync directly. Set Upstream Servers to private rest API, remove the path and just keep the host: api info Set Default Action to Allow and click Next. For Authorizer: authorizer Select JWT as Type. Select Okta as Identity Provider. Input the Issuer and Audience. You can find them in SecurityAPI from Okta admin console: okta-api Set root path as Resource Path which means any request to any URI should be authorized. Click Create. Follow the steps to pull the Datawiza Access Broker (DAB) image and create the docker-compose file. Note down the docker-compose file and we will run it on EC2. Click Down. mc done Select the app in the Applications tab: application config In SSL tab, open the SSL button and upload the cert and private key. We also provide a self-signed cert for testing purposes. You can select the Cert Type to Self Signed to use it. Click Save. mc ssl In Advanced tab, input the Proxy Header Host. It should be the upstream hostname. If your API needs SNI (opens new window), enable the upstream SNI option. Click Save. mc advanced

# Try it now

Now all the configurations have been done. Run the docker-compose file generated during Configuration in DCMC on EC2. The docker-compose file should be like:

version: '3'

services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: #############################
      PROVISIONING_SECRET: #############################

With the Okta token, you can access the AWS private REST API through DAB: postman with token Otherwise, you will get the 401 unauthorized: postman 401 And the AWS private REST API cannot be accessed directly: access to private api gateway

# Reference

EC2 getting started (opens new window) Getting started with Amazon VPC (opens new window) VPC Security Groups (opens new window) VPC endpoints (opens new window) Creating a private API in Amazon API Gateway (opens new window) How can I access an API Gateway private REST API in another AWS account using an interface VPC endpoint? (opens new window)