Exclude cipher suites at the API gateway using a Network Load Balancer security policy
In this blog post, we will show you how to use Amazon Elastic Load Balancing (ELB)—specifically a Network Load Balancer—to apply a more granular control on the cipher suites that are used between clients and servers when establishing an SSL/TLS connection with Amazon API Gateway. The solution uses virtual private cloud (VPC) endpoints (powered by AWS PrivateLink) and ELB policies. By using this solution, highly regulated industries like financial services and healthcare and life sciences can exercise more control over cipher suite selection for TLS negotiation.
<h2>Configure the minimum TLS version on API Gateway</h2>
<p>The TLS protocol is a mechanism to encrypt data in transit — data that is moving from one location to another such as across the internet or through a network. TLS requires that the client and server agree on the family of encryption algorithms — otherwise known as the <em>cipher suite</em> — to use to protect the communication between the client and server. The two parties agree on the cipher suite during the phase known as the <em>TLS handshake</em>, in which the client first provides a lists of preferred cipher suites, and the server then selects the one that it deems most appropriate.</p>
<p>API Gateway supports a <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html#apigateway-custom-domain-tls-version-regional-and-websocket" target="_blank" rel="noopener">wide range of protocols and ciphers</a> and allows you to choose a minimum TLS version to be enforced by selecting a specific security policy. A security policy is a predefined combination of the minimum TLS version and cipher suite offered by API Gateway. Currently, you can choose either a TLS version 1.2 or TLS version 1.0 security policy. Although the usage of TLS v1.0 or TLSv1.2 covers a wide range of network security use cases, it doesn’t address the situation where you need to exclude specific ciphers that don’t meet your security requirements.</p>
<h2>Options for granular control on TLS cipher suites</h2>
<p>If you want to exclude specific ciphers, you can use the following solutions to offload and control the TLS connection termination with a customized cipher suite:</p>
<ul>
<li><strong>Amazon CloudFront distribution</strong> — <a href="https://aws.amazon.com/cloudfront/" target="_blank" rel="noopener">Amazon CloudFront</a> provides the TLS version and cipher suite in the <a href="https://aws.amazon.com/about-aws/whats-new/2022/05/amazon-cloudfront-tls-version-cipher-suite-viewer-header/" target="_blank" rel="noopener">CloudFront-Viewer-TLS-header</a>, and you can configure it by using a <a href="https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/" target="_blank" rel="noopener">CloudFront function</a> on the Viewer request to then forward the appropriate traffic to an API Gateway. CloudFront is a global service that transfers customer data as an essential function of the service, so you should carefully consider its usage according to your specific use case.</li>
<li><strong>Self-managed reverse proxy</strong> — Using a containerized reverse proxy (for example, an <a href="https://hub.docker.com/_/nginx" target="_blank" rel="noopener">NGINX Docker image</a>) that manages the TLS sessions and forwards traffic to an API Gateway is another approach for more granular control on the cipher suites. You can deploy and manage this solution with <a href="https://aws.amazon.com/ecs/" target="_blank" rel="noopener">Amazon Elastic Container Service (Amazon ECS)</a>. You can also run Amazon ECS on <a href="https://aws.amazon.com/fargate/" target="_blank" rel="noopener">AWS Fargate</a> so that you don’t have to manage servers or clusters of <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon Elastic Compute Cloud (Amazon EC2)</a> instances. The self-managed reverse proxy approach entails an operational overhead associated with the configuration and management of the reverse proxy application.</li>
<li><strong>Network Load Balancer</strong> — By placing a Network Load Balancer in front of an API Gateway, you can use the load balancer to terminate the TLS session on the client side, and reinitiate a new TLS session with the backend API gateway. This approach, in conjunction with the use of ELB policies, provides you with much more granular control on the cipher suite used for the communication. Network Load Balancer is a fully-managed service, meaning that it handles scalability and elasticity automatically. This represents the main advantage in comparison to a self-managed reverse proxy solution that would add operational overhead due to the need to manage the reverse proxy application and the ECS cluster.</li>
</ul>
<p>Network Load Balancer is the solution with the most suitable set of trade-offs: it minimizes operational overhead while providing the necessary flexibility to control and secure the connection between client and server. Therefore, we focus on using Network Load Balancer in this post.</p>
<h2>Prerequisites</h2>
<p>To show how a Network Load Balancer can front-end an API gateway in practice, we will walk you through a real-world example. To follow along, make sure that you have the following prerequisites in place:</p>
<div id="attachment_29502" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29502" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img1-3.png" alt="Figure 1: Sample architecture of API Gateway with Lambda backend" width="554" height="391" class="size-full wp-image-29502">
<p id="caption-attachment-29502" class="wp-caption-text">Figure 1: Sample architecture of API Gateway with Lambda backend</p>
</div>
<h2>Use Network Load Balancer for cipher suite selection</h2>
<p>We start with a scenario where a client interacts with the API gateway domain (for example, <span>api.example.com</span>) over a set of TLS/cipher combinations that are not acceptable for security reasons. In the subsequent steps, we will introduce a Network Load Balancer layer to frontend the API gateway domain without impacting the end-user interaction with the API gateway domain. In this section, we will walk you through how to make the application accessible through a Network Load Balancer and use ELB policies to exclude the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite. In doing so, we will limit the operational overhead as much as possible, while keeping the application scalable, elastic, and highly available.</p>
<p>Figure 2 shows the solution that you will build.</p>
<div id="attachment_29503" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29503" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img2-3.png" alt="Figure 2: Target architecture, with a load balancer for cipher suite selection" width="600" class="size-full wp-image-29503">
<p id="caption-attachment-29503" class="wp-caption-text">Figure 2: Target architecture, with a load balancer for cipher suite selection</p>
</div>
<p>The preceding diagram shows a workflow of the user interaction with the API gateway domain abstracted by the Network Load Balancer layer. For the first interaction, the user retrieves the API gateway domain from the Route 53 hosted zone. This API gateway domain aliases to the Network Load Balancer endpoint. In the next interaction, the user makes an HTTPS request to the domain endpoint with a TLS/cipher combination from the client side. The TLS connection is accepted or denied based on the security policy configured at the Network Load Balancer. In the rest of this post, we will walk you through how to set up this architecture.</p>
<h2 id="step_1">Step 1: Create a VPC endpoint</h2>
<p>The first step is to create a private VPC endpoint for API Gateway.</p>
<h4>To create a VPC endpoint</h4>
<ol>
<li>Open the <a href="https://console.aws.amazon.com/vpc/" target="_blank" rel="noopener">Amazon VPC console</a>.</li>
<li>In the left navigation pane, choose <strong>Endpoints</strong>, and select <strong>Create endpoint</strong>.</li>
<li>For <strong>Name tag</strong>, enter a name for your endpoint. For this walkthrough, we will enter <span>MyEndPoint</span> as the name for the endpoint.</li>
<li>For <strong>Services</strong>, search for <strong>execute-api</strong> and select the service name, which will look similar to the following: <strong><span>com.amazonaws.<span></span>.execute-api</span></strong>.</li>
<li>For <strong>VPC</strong>, select the VPC where you want to deploy the endpoint. For this walkthrough, we will use <strong>MyVPC</strong> as the VPC.</li>
<li>For <strong>Subnets</strong>, select the private subnets where you want the private endpoint to be accessible. To help ensure high availability and resiliency, make sure that you select at least two subnets.</li>
<li>(Optional) Specify the <a href="https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html" target="_blank" rel="noopener">VPC endpoint policy</a> to allow access to the VPC endpoint only for the desired users or services. Make sure that you apply the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" target="_blank" rel="noopener">principle of least privilege</a>.</li>
<li>For <strong>Security Groups</strong>, select (or create) a security group for the API Gateway VPC endpoint. This security group will allow or deny traffic to the VPC endpoint. You can choose the ports and protocols along with the source and destination IP address range to allow for inbound and outbound traffic. In this example, you want the VPC endpoint to be accessed only from the Network Load Balancer, so make sure that you allow incoming traffic from the VPC’s Classless Inter-Domain Routing (CIDR) on port 443.</li>
<li>Leave the other configuration options as they are, and then choose <strong>Create Endpoint</strong>. Wait until the VPC endpoint is deployed.</li>
<li>When the VPC endpoint completes provisioning, take note of the endpoint ID and the IP addresses associated with it because you will need this information in the following steps. You will find one address for each subnet where you chose to deploy the VPC endpoint. After you select the newly created endpoint, you can find the assigned IP addresses in the <strong>Subnets</strong> tab.</li>
</ol>
<h2 id="step_2">Step 2: Associate API Gateway with the VPC endpoint and custom domain</h2>
<p>The next step is to instruct the API Gateway to only accept invocations coming from the VPC endpoint, and then map your APIs with the custom domain name.</p>
<h4>To associate API Gateway with the VPC endpoint and custom domain</h4>
<ol>
<li>Open the <a href="https://console.aws.amazon.com/apigateway" target="_blank" rel="noopener">Amazon API Gateway console</a> and take note of the ID of your API.</li>
<li>Choose your existing API in the console. For this walkthrough, we will use an API called <strong>MyAPI</strong>. </li>
<li>In the left navigation pane, under <strong>API:</strong> <span></span>, choose <strong>Resource Policy</strong>.</li>
<li>Paste the following policy, and replace <span></span>, <span></span>, <span></span>, and <span></span> with your own information:
<div class="hide-language">
<pre><code class="lang-text">{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:<span></span>:<span></span>:<span></span>/*/*/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "<span></span>"
}
}
}
]
}
<li>In the left navigation pane, under <strong>API:</strong> <span></span>, choose <strong>Settings</strong>.</li>
<li>In the <strong>Endpoint Configuration</strong> section, for <strong>VPC Endpoint IDs</strong>, enter your VPC endpoint ID. </li>
<li>Leave the other configuration options as they are and choose <strong>Save Changes</strong>.</li>
<li>In the left navigation pane, under <strong>API:</strong> <span></span>, choose <strong>Resources</strong>.</li>
<li>Choose <strong>Actions</strong> and select <strong>Deploy API</strong>.</li>
<li>Select an existing stage, or if you haven’t created one yet, select <strong>[New Stage]</strong> and enter a name for the stage (for example, <span>prod</span>). Then choose <strong>Deploy.</strong></li>
<li>Navigate back to the Amazon API Gateway console, and in the left navigation pane, choose <strong>Custom domain names</strong>.</li>
<li>Choose <strong>Create.</strong></li>
<li>For <strong>Domain name</strong>, enter the full domain name that you plan to associate with your API Gateway (for example, <span>api.example.com</span>).</li>
<li>For <strong>ACM certificate</strong>, select the certificate for the domain that you own (for example, <strong><em>.example.com</em></strong>).</li>
<li>Leave the rest as it is and choose <strong>Create domain name</strong>.</li>
<li>Select the domain name that you just associated with API Gateway and select <strong>API mappings</strong>.</li>
<li>Choose <strong>Configure API Mapping</strong>.</li>
<li>For <strong>API</strong>, select your API, and for <strong>Stage</strong>, select your preferred stage.</li>
<li>Leave the other configuration options as they are, and choose <strong>Save</strong>.</li>
<h2 id="step_3">Step 3: Create a new target group for Network Load Balancer</h2>
Before creating a Network Load Balancer, you need to create a target group that it will redirect the requests to. You will configure the target group to redirect requests to the VPC endpoint.</p>
<h4>To create a new target group for Network Load Balancer</h4>
<ol>
<li>Open the <a href="https://console.aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon EC2 console</a>.</li>
<li>In the left navigation pane, choose <strong>Target groups</strong>, and then choose <strong>Create target group</strong>.</li>
<li>For <strong>Choose a target type</strong>, select <strong>IP addresses</strong>.</li>
<li>For <strong>Target group name</strong>, enter your desired target group name. For this walkthrough, we will enter <span>MyGroup</span> as the target group name.</li>
<li>For <strong>Protocol</strong>, select <strong>TLS.</strong></li>
<li>For <strong>Port</strong>, enter <strong>443</strong>.</li>
<li>Select <strong>MyVPC</strong>.</li>
<li>Under <strong>Heath check protocol</strong>, select <strong>HTTPS</strong>, and under <strong>Health check path,</strong> enter <span>/ping</span>.</li>
<li>Leave the rest as it is and choose <strong>Next</strong>.</li>
<li>For <strong>Network</strong>, select <strong>MyVPC</strong>.</li>
<li>Choose <strong>Add IPv4 address</strong> and add the IP addresses associated with the VPC endpoint one by one (these are the IP address associated with the VPC endpoint and detailed in step 10 of the section <a href="https://aws.amazon.com/blogs/security/exclude-cipher-suites-at-the-api-gateway-using-a-network-load-balancer-security-policy/#step_1">Step 1: Create a VPC endpoint</a>).</li>
<li>For <strong>Ports</strong>, enter <strong>443</strong>, and then choose <strong>Include as pending below</strong>.</li>
<li>Choose <strong>Create target group</strong>, and then wait for the target group to complete creation.</li>
</ol>
<h2 id="step_4">Step 4: Create a Network Load Balancer</h2>
<p>Now you can create the Network Load Balancer. You will configure it to redirect traffic to the target group that you defined in Step 3.</p>
<h4>To create the Network Load Balancer</h4>
<ol>
<li>Open the <a href="https://console.aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon EC2 console</a>.</li>
<li>In the left navigation pane, choose <strong>Load Balancers</strong>, and then choose <strong>Create load balancer</strong>.</li>
<li>In the <strong>Network Load Balancer</strong> section, choose <strong>Create</strong>.</li>
<li>For <strong>Load balancer name</strong>, enter a name for your load balancer. For this walkthrough, we will use the name <span>MyNLB</span>.</li>
<li>For <strong>Scheme</strong>, select <strong>Internal</strong>.</li>
<li>For <strong>VPC</strong>, select <strong>MyVPC</strong>.</li>
<li>For <strong>Mappings</strong>, select the same subnets that you selected when you created the VPC endpoint in <a href="https://aws.amazon.com/blogs/security/exclude-cipher-suites-at-the-api-gateway-using-a-network-load-balancer-security-policy/#step_1">Step 1: Create a VPC endpoint</a>.</li>
<li>In the <strong>Listeners and routing </strong>section, for <strong>Port</strong>, enter <strong>443</strong>. </li>
<li>Forward the traffic to <strong>MyGroup</strong>.</li>
<li>Select a security policy that excludes the cipher suites that you don’t want to allow. To learn more about the available policies, see <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies" target="_blank" rel="noopener">Security policies</a>. In this example, we will select <strong>ELBSecurityPolicy-TLS13-1-2-Res-2021-06</strong>, which excludes the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher.</li>
<li>For <strong>Default SSL cert, </strong>choose <strong>Select a certificate</strong> and then select your certificate (for example, <strong>.example.com</strong>).</li>
<li>Leave the rest as it is and choose <strong>Create load balancer</strong>. Wait for the load balancer to complete deployment.</li>
</ol>
<h2 id="step_5">Step 5: Set up DNS forwarding</h2>
<p>The final step is to configure the Domain Name System (DNS) to associate the custom domain name with our APIs.</p>
<h4>To set up DNS forwarding</h4>
<ol>
<li>Open the Route53 console.</li>
<li>In the left navigation pane, choose <strong>Hosted zones</strong>.</li>
<li>Select the private hosted zone that manages your domain.</li>
<li>Choose <strong>Create record</strong>.</li>
<li>For <strong>Record name</strong>, enter the domain name that you plan to associate with your API (for example, <span>api.example.com</span> — the same name as in <a href="https://aws.amazon.com/blogs/security/exclude-cipher-suites-at-the-api-gateway-using-a-network-load-balancer-security-policy/#step_2">Step 2: Associate API Gateway with the VPC endpoint and custom domain</a>).</li>
<li>For <strong>Record type</strong>, leave the default <strong>A – Routes traffic to an IPV4 address and some AWS resources</strong>.</li>
<li>Turn on <strong>Alias</strong>.</li>
<li>For <strong>Route traffic to</strong>, select <strong>Alias to Network Load Balancer</strong>. Select the AWS Region where you deployed your resources and then select your load balancer.</li>
<li>Choose <strong>Create records</strong>.</li>
</ol>
<h2 id="step_6">Step 6: Validate your solution</h2>
<p>At this point, you have deployed the resources that you need to implement the solution. You now need to validate that it works as expected.</p>
<p>Your resources are deployed in private subnets, so you need to test them by sending requests from within the private subnet itself. For example, you can do that by <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html" target="_blank" rel="noopener">connecting to a Linux instance</a> that you have running inside the private subnet.</p>
<p>After you have logged in to your private EC2 instance, you can validate your solution by sending requests to your endpoint. </p>
<p>From your terminal of choice, run the following commands. Replace <span></span> with your chosen domain name—for example, <span>api.example.com/</span><span>.</span></p>
<div class="hide-language">
<pre><code>curl https:// ‐‐cipher ECDHE-RSA-AES128-GCM-SHA256</code></pre>
</div>
<p>This command sends a GET request to API Gateway by selecting a cipher suite that’s allowed by the ELB policy. As a result, the Network Load Balancer allows the connection and returns success.</p>
<div class="hide-language">
<pre><code>curl https:// ‐‐cipher ECDHE-RSA-AES128-SHA256</code></pre>
</div>
<p>This command sends a GET request to the API Gateway by selecting a cipher suite that is excluded by the ELB policy. As a result, the Network Load Balancer denies the connection and returns an error response.</p>
<p>Figure 3 shows the expected behavior.</p>
<div id="attachment_29505" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-29505" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img3-2.png" alt="Figure 3: Target behavior: accept only connections with selected cipher suites" width="619" height="451" class="size-full wp-image-29505" />
<p id="caption-attachment-29505" class="wp-caption-text">Figure 3: Target behavior: accept only connections with selected cipher suites</p>
</div>
<h2>Conclusion</h2>
<p>In this blog post, you learned how to use a Network Load Balancer as a reverse proxy for your private APIs managed by Amazon API Gateway. With this solution, the Network Load Balancer allows you to exclude specific cipher suites by selecting the ELB policy that’s most appropriate for your use case.</p>
<p> <br />If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p>
<p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong>
<!-- '"` -->