F5 AWS Lambda/API Gateway Proxy iRules LX Plug-in

Introduction

This extension is community supported.

The f5_aws_apigw_proxy iRules LX plug-in is a BIG-IP iRules LX plugin for enables the BIG-IP to act as a many-to-one proxy for both AWS API Gateway and direct Lambda function requests. The plug-in utilizes a data-group to perform path/URI and path/LambdaFunction matching. This allows for a single public facing proxy endpoint to service multiple backend AWS Lambda functions and APIs.

Lambda Proxy

To proxy a Lambda function located within the same region as the F5 BIG-IP instance, create a datagroup, ('aws-apis')to create path/fxn mappings fxn1 ---> glc-hello-function. To proxy a Lambda function located in a different AWS region simply prepend the region to the function name fxn1 ---> eu-west-1/glc-hello-function.

Lambda Proxy Example1:
POST/apigw.f5demo.net/fxn1 -- proxies directly to the Lambda function with the name glc-hello-function

Lambda Proxy outside of region Example2:
POST/apigw.f5demo.net/fxn2 -- proxies directly to the Lambda function with the region/name eu-west-2/glc-hello-function

AWS API Proxy

To proxy AWS APIs, use the same datagroup to create path --> URI matchings - api1 ---> jbfipbsqfa.execute-api.us-east-1.amazonaws.com/prod/LambdaPub-WCGIBYB9AHI

API example:
POST/apigw.f5demo.net/api1 -- proxies to -- POST/jbfipbsqfa.execute-api.us-east-1.amazonaws.com/prod/LambdaPub-WCGIBYB9AHI

Requirements

BIG-IP VE 13.1 or later running on EC2

Installation

1. Download and import .tgz file into the BIGIP, (see below).

2. Create LX plugin from imported workspace - Note: must be named 'f5_aws_apigw_proxy'

TMSH command example: tmsh create ilx plugin f5_aws_apigw_proxy from-workspace f5_aws_apigw_proxy

3. Create and populate the data-group //Note: must be named 'aws-apis'

TMSH command example: tmsh create ltm data-group internal aws-apis type string records add { api1 { data jbfipbsqfa.execute-api.us-east-1.amazonaws.com/default/serverlessrepo-glc-publisher-LambdaPublisher-WFCGIBYB9AHI } fxn1 { data glc-hello-fxn }}

4. Create an AWS IAM role with the name: f5ApiProxyRole

The role requires, at a minimum the 'AmazonAPIGatewayInvokeFullAccess' and 'AWSLambdaFullAccess' permissions, (see below). Attach the newly created role to BIG-IP ec2 instance. Refer to this link for instructions.

For a quick video run through of the installation process, check out this video.

Modification

Once the workspace has been installed, you can use the BIG-IP workspace, (see below) to view and modify the underlying iRule -tcl and the nodejs processor

msenturk / f5-aws-apigw-proxy