Say I have a few internal services living in a private subnet that need to make external API calls. To achieve this, I implement a lambda living in another VPC that makes the call on their behalf. Now I want to add another layer of security by implementing a forward proxy that does the following:
- Be able to check for things like payload sizes and inspect the actual data in the request (I am only concerned with HTTP(S) traffic for now).
- Be able to inspect TLS connections as well (every service in my network has a self-managed root certificate installed, so a man-in-the-middle TLS inspection based approach is possible).
- Maintain and enforce service-specific access to internet domains.
Ideally, each time a new API call needs to be made, rather than making a code change in the proxy we would just be able to edit a configuration file with this new endpoint and the rules we may want to enforce for it (for eg. block all GET request with a non-empty body).
I looked into several third-party solutions to this problem. Stumbled across EnvoyProxy but that doesn't support TLS termination. Squid could work, but it doesn't seem to support dynamic, service-specific configurations. One solution that seems to be exactly what we need is Google Cloud Secure Web Proxy (https://cloud.google.com/secure-web-proxy/docs/overview). Is there any similar service out there? If not, how would you go about implementing such a proxy service in an AWS environment.
PS: We tried implementing this at the firewall level, but that came with its own issues and the rules we can use are very simplistic. We do not wish to use AWS's Network Firewall.
