Security guidelines between Edge and AWS

Following are guidelines for ensuring secure communication between Edge and your backend services on AWS.

TLS

  • As a best practice, set up two-way TLS between Edge and your AWS backend services. For more information, see the Apigee Edge documentation topics here: About TLS/SSL
  • Because traffic between AWS Elastic Load Balancing and Amazon EC2 instances occurs within the same Virtual Private Cloud (VPC), terminate TLS at the load balancer in most use cases. For more information, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html.
  • The AWS load balancer supports only server-side TLS (one-way TLS). For client-side TLS (two-way TLS), use a TLS termination proxy (such as HAProxy) behind the load balancer in TCP proxy-mode, with HAProxy terminating the TLS connection.

IP whitelisting

Whether you're using EC2-VPC or EC2-Classic as your AWS environment, configure your security group(s) to allow only your Edge IP addresses to make calls to your AWS services.

To find out your Edge IP addresses to whitelist, contact Apigee Support as described in this Apigee Community article.

To find out one or more of your Edge IPs on your own, see this Apigee Community article.

For information on creating inbound rules in your security groups for whitelisting your Edge IP addresses, see the following AWS documentation:

To see a full list of AWS IP ranges, and to see which AWS region your Edge Public Cloud organization is deployed in once you know your IP addresses, see https://ip-ranges.amazonaws.com/ip-ranges.json.

Amazon EC2

If you're proxying an Amazon EC2 instance, set up an Elastic IP address in front of the EC2 instance. For more information, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html.

Amazon RDS

When proxying the Amazon RDS database, use TLS/SSL encryption between Edge and RDS. For more information, see http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html.

Apigee also provides connectors to expose relational databases as APIs. You can use the “SQL volos connectors” as a starting point if you need to expose your AWS relational database as a REST API. For more information, see volos-connectors GitHub repository.

Amazon Route 53

If you're using Amazon Route 53 for DNS service, be sure to set appropriate TTL (Time to Live) on your Resource Record Sets. For more information, see http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values.html.