Bind Istio with API Gateway — IaaC
Trust nothing is the new era of security. This blog will go through binding API Gateway to Istio gateway so that service only able to accessible through API gateway & cannot be accessible outside directly.
Step 1: Setup API Gateway with SSL certificate
Below will create gateway certificate & deploy a stage named example with the certificate. We will use the same certificate in next step to ensure mutual authentication
Step 2: Setup Istio with ssl certificate
Below example shows modification of gateway with certificate created above steps.
Step 3: Setup route53 domain.
This step is important as earlier I pushed uri as ELB of istio ingress gateway. But that creates domain name conflict with the certificate. Hence you need route53 entry for the “apigateway.mycompany.com” pointing to CNAME record “ a01384bbf30454ac98fe23c72a1a1a1a1–11111111.eu-west-1.elb.amazonaws.com”
Step 4: test curl command
curl https://apigateway.mycompany.com => should fail (as no ssl info)
curl https://k6n1vxxxxx.execute-api.eu-west-1.amazonaws.com/example => Should work (as ca certificate already passed in backend )