DDOS AWS API Gateway protection

Question

I have publicly exposed API Gateway (HTTP). To authenticate you have to provide a valid JWT.

I want to secure this APIGW with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Answer 1

My opinion is that putting an API Gateway on the internet behind CloudFront is likely sufficiently secure. It's designed to do exactly that. You can use CloudFront to limit geographic distribution if you need to, but generally AWS Shield combined with CloudFront / Route53 will give you sufficient protection against DDOS.

You can make your API Gateway distribution private then expose it to the internet via a VPC / VPN, but that's more work and more cost. I tend to use private API Gateways only when it's providing a service that is only consumed by a single application in AWS.

API Gateway is a managed service. AWS don't want their managed services to be crippled by DDOS attacks, so they protect them and mitigate DDOS attacks when they occur.

If you're really worried about this you can always pay for AWS Shield Advanced, but it's US$3,000 per month. This is often used by enterprises where the cost isn't the primary factor.