Security guidelines between Edge and AWS
Following are guidelines for ensuring secure communication between Edge and AWS.
- As a best practice, set up two-way TLS between Edge and AWS. For more information, see the Apigee Edge documentation topics here: About TLS/SSL
- Because traffic between AWS Elastic Load Balancing and Amazon EC2 instances occurs within the same Virtual Private Cloud (VPC), terminate TLS at the load balancer in most use cases. For more information, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html.
Whether you're using EC2-VPC or EC2-Classic as your AWS environment, configure your security group(s) to allow only your Edge IP addresses to make calls to your AWS services.
To find out one or more of your Edge IPs on your own, see this Apigee Community article.
If you are on the Edge trial (free) plan, your Edge IP addresses (you have two by default) might change at some point, so this step of IP whitelisting may not be practical over time. For more information, see this Apigee Community article.
For information on creating inbound rules in your security groups for whitelisting your Edge IP addresses, see the following AWS documentation:
To see a full list of AWS IP ranges, and to see which AWS region your Edge Public Cloud organization is deployed in once you know your IP addresses, see https://ip-ranges.amazonaws.com/ip-ranges.json.
If you're proxying an Amazon EC2 instance, set up an Elastic IP address in front of the EC2 instance. For more information, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html.
When proxying the Amazon RDS database, use TLS/SSL encryption between Edge and RDS. For more information, see http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html.
Apigee also provides connectors to expose relational databases as APIs. You can use the “SQL volos connectors” as a starting point if you need to expose your AWS relational database as a REST API. For more information, see Apigee connectors.
Amazon Route 53
If you're using Amazon Route 53 for DNS service, be sure to set appropriate TTL (Time to Live) on your Resource Record Sets. For more information, see http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values.html.
Help or comments?
- If something's not working: Ask the Apigee Community or see Apigee Support.
- If something's wrong with the docs: Send Docs Feedback
(Incorrect? Unclear? Broken link? Typo?)