Security options when accessing an external API from a Serverless Function

RobertBaminger
Member

Hi,

 

we have a HubSpot serverless function which calls an external API hosted on one of our servers in our network which ist protected by a firewall.

Now, we would like to restrict acces to the API on our server, to only accept calls from the HubSpot serverless function!

 

What options do we have?

IP- or FQDN-allowlisting, Client-Certificate-Authentication, etc. ... but, since the serverless function are executed on AWS, where there ist no fixed IP-Adress, so I think the options are limited.

 

Thanks and best regards

Robert Baminger

0 Upvotes
3 Replies 3
JBeatty
Top Contributor | Platinum Partner

Hi @RobertBaminger,

 

If you can establish some sort of API key or other forms of basic authentication like bearer authentication on your external API, you can store this in a "secret" that your serverless function can access. See this article for more information on authentication for Restful APIs.

 

From the HubSpot Developer Docs:

Secrets

API keys, and authentication information are referred to as secrets. Secrets are added and removed through the HubSpot CLI. Once added through the CLI, they can be made available to specific functions or globally, by adding a secrets array, with the name of the secret. Once added they are accessible within functions through environment. This provides you a secure way to use these secrets and enable you to store your function code in version control, without worrying about the secrets being exposed.

See this page for more information on how to create and manage secrets.

 

 

Best,

Josh

 

Was I able to help answer your question? Help the community by marking it as a solution.

 

✔️ Was I able to help answer your question? Help the community by marking it as a solution.

Joshua Beatty
Software Developer with Pearagon

Still have questions? Let's Talk

0 Upvotes
RobertBaminger
Member

Hi Josh,

 

sorry for the late reply.

 

I think it is already too late at this point (as we are already past out firewall) to establish some form of authentication to our internal server (which would be perfectly capable of handling this authentication).

We would like to restrict access already in our firewall, so that the request from the serverless function can't even get to our internal server!

 

Thanks and regards,

Robert

0 Upvotes
JBeatty
Top Contributor | Platinum Partner

Hi @RobertBaminger,

 

The exact minutiae of firewalls is a little outside my realm of expertise, as I am not a network engineer, but there is an idea that I have. Since the serverless function has a different IP every time you call it, though I have not tested this, I am assuming this is the case otherwise you would just allowlist the IP, this gives me just one idea of setting up some sort of middleman. Something like just an AWS EC2 instance, or other VPS, that just acts as a middleman, which you can give an IP address, which you then are able to white list. From there on the compute instance you could set up some sort of basic authentication, but if you are going that far you may as well just run all of your code off of the instance anyways. Perhaps someone with a better background in networking engineering could step in here.

✔️ Was I able to help answer your question? Help the community by marking it as a solution.

Joshua Beatty
Software Developer with Pearagon

Still have questions? Let's Talk

0 Upvotes