'How to access resources in a private subnet from apple store and google play
Would love to get peoples thoughts on this.
I have a front-end application that lives on the apple store. It interacts with custom JavaScript APIs that we've built and that are deployed on an EKS cluster. The cluster and the EC2 instances of the cluster live in private subnets in AWS, but are exposed to the world through an application load balancer that lives in a public subnet.
Since the front end application lives on apples servers, I can't think of an easy way to securely access the APIs in AWS without exposing them to the world. This is what I have in mind:
- Use API keys. Not ideal as the keys could still potentially be scraped from a header
- Restrict access to the APIs to the apple server network via ACLs and security groups. Again, not something that seems achievable since there is no network CIDR that apple provide (that I know of)
- Set up some sort of SSH tunnel
I've hit a wall on this and would really appreciate anyones thoughts if they've had a similar issue.
Thanks!
amazon-web-servicesSolution 1:[1]
In Google CDP you can have another type of ACL which monitors the client URL. If requests wont come from your.frontend.app, they are denied. Check if you can find that in AWS as well
I recommend to further think about if possible in you project:
1.) CSRF strategy. Apply tokens to clients which must be provided on request to API.
2.) AccessLimiter. Maintain Fingerprint or Session for your clients and count/limit requests as you need. E.g. if the request didnt run through an index file before, no request is possible as clients didnt collect a token.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | user19095620 |