Navigating Cellebrite’s Migration to Private AWS API Gateways

Background

At Develeap, our motto is helping others. We are a kinship of professionals helping other professionals generate sustainable long-term value. We believe in sharing knowledge and experience and are passionate about taking tech teams to the next level. Matching our expertise to our customers’ teams is at the heart of our work.

Our customer, Cellebrite, is a global leader in digital intelligence solutions for law enforcement, government, and enterprise sectors. The company provides an integrated suite of software solutions, known as the Cellebrite DI Platform, which enables customers to conduct digital investigations, gain data insights, and manage digital intelligence. Cellebrite’s solutions accelerate investigations by enabling the extraction, decoding, analysis, and collaboration of data from a wide range of digital sources, including smartphones, cloud services, computers, IoT devices, and more.

With a commitment to maintaining the highest ethical standards, Cellebrite assists in solving crimes, protecting assets, and ensuring public safety worldwide. The company’s technology is used by thousands of leading law enforcement agencies, military units, and intelligence organizations in more than 150 countries.

 At Develeap, we are proud to support Cellebrite in its mission, leveraging our DevOps expertise to enhance Cellebrite’s digital intelligence capabilities.

The need

Migration of Public AWS API Gateways to Private AWS API Gateways with Custom DNS

Cellebrite, like numerous other global organizations, recognized the pressing need to enhance its technological infrastructure. The company’s primary objective was clear: transition from public AWS API Gateways to private ones with custom DNS. The move was necessary to bolster security measures, streamline deployment processes, and improve digital intelligence management.

The development teams were tasked with finding a solution that would meet the company’s stringent security standards and facilitate the efficient extraction, decoding, and analysis of data from various digital sources, following the company’s high-security standards and limited access to all AWS services. The challenge was further compounded by the relative novelty of Serverless technology and a lack of comprehensive documentation and well-known use cases.

The Challenges

• Blocked Security measures
  • Due to high-security measures, development teams do not have access to all AWS services, but IT and Security handle all networking and security.
• Finding documentation regarding the need
  • Since Serverless isn’t as mainstream as k8s or well-known as Docker, the main issue is the lack of documentation as well as the lack of well-known use cases documenting serverless actions and methods.
  • As documentation is scarce, many companies and organizations that would like to start investigating the option for a serverless solution are very hesitant to start developing and implementing said architecture which causes even less documentation as well as use cases to be published.

“From having our API open to the world with all the dangers and problems that come with it, it was a long but worthwhile transition. I wish and hope that there will be more available information on the subject in the future.” -Or Shemtov, Software Engineer at Cellebrite

Our Solution

• Strategy
  1. We found the following repository: https://github.com/aws-samples/serverless-samples
     which holds all the recommended AWS solutions when working with Serverless.
  2. There, we found the following Architecture recommendation to work with private API gateways and custom DNS for said gateway. But we didn’t want to have one DNS per development environment, we wanted to centralize the DNS for all environments on that account.
     
     
  3. While exploring the API gateway through the AWS console, we found that there are base paths where you can connect different API gateways and stages to a domain name of your choosing, but that domain name must be defined in Route53 to work.

• Planning and Execution
  1. After meeting with IT and explaining our method of approaching what we researched and found, we decided to connect the entire solution to our CD, which is being done through GitHub Actions.
  2. We created a VPCe per VPC that we wanted to connect the API gateway to.
  3. We created an ACM certificate with our Private CA.
  4. We created an NLB with a TLS:443 listener that is pointing towards the VPCe network interfaces and attached the certificate that we created before.
  5. Connected Route 53 to our NLB and made sure we’re getting the following response, ‘’’{“message”: “Forbidden”}‘’’ which means we are reaching the NLB and there is a response from it.
  6. We decided to use boto3 to connect the domain name and our API gateways, which can be seen below.

def set_api_mapping(account_id: str, env: str) -> None:
    # Get list of APIs
    api_list = api_client.get_rest_apis()["items"]
    api_id = None

    # Check if API exists for specified env
    for api in api_list:
        if env in api["name"]:
            api_id = api["id"]

    # Create API mapping if API exists
    if api_id is None:
        print(f"API not found for env: {env}")
        exit(1)
    else:
        try:
            api_client.create_base_path_mapping(
                domainName=DOMAIN_NAMES[account_id],
                basePath=env,
                restApiId=api_id,
                stage=env,
            )
            print(f"API mapping created for DNS name: {DOMAIN_NAMES[account_id]} and env: {env}")
        except ClientError as e:
            if e.response["Error"]["Code"] == "ConflictException":
                print(f"Base path already exists for domain: {DOMAIN_NAMES[account_id]} and env: {env}")

Infrastructure as Code

For our infrastructure, we decided to use a serverless framework, which is a well-known framework for deploying serverless functions to any cloud of your choice. It can also be used as IAC  to deploy the needed resources to use in your application, thus making the entire configuration for your serverless application centralized.

CD process

In our CD process, we decided to change the way we spread our system. Instead of running a serverless-compose, we decided to deploy each service on its own. We found that running the deployment in parallel is viable, given everything is serverless. 

After we deploy all our services and the gateway with our GitHub Actions workflows, we run a specific workflow that executes all the scripts created earlier. This workflow is named according to the stage we deploy, and it automatically associates the said stage as an additional base path to our DNS.

So, how can we make sure that our API gateway is secure?
In addition to making the API gateway private, another measure recommended by AWS is to create Authentication functions for the API, which can generate any response like the following.

‘’’{“message”:”Missing Authentication Token”}’’’

Results & Conclusions

In conclusion, Cellebrite’s migration from public AWS API Gateways to private ones with custom DNS has been a substantial step forward, despite initial challenges. The team navigated stringent security measures and a lack of comprehensive documentation to devise a robust strategy, leveraging resources like the AWS samples repository and the Serverless framework. This approach has resulted in a secure and efficient infrastructure, with private API gateways, custom DNS, and authentication functions enhancing system security to meet and exceed industry standards.

The decision to centralize the DNS for all environments and deploy each service individually has improved performance, streamlined the deployment process, and reduced cloud resource costs. With the use of open-source projects like Serverless, Boto3, and GitHub Actions, the migration process has been simplified and successful. This ongoing transition is already yielding significant benefits, reinforcing Cellebrite’s commitment to providing top-tier digital intelligence solutions worldwide.

About Develeap

develeap is a leading technology company that specializes in providing expert DevOps consulting services. With highly skilled DevOps engineers who are well-versed in the latest technology stack, develeap is ready to help you build, manage and support Kubernetes, Cloud & On-premises, CI/CD processes, Git and GitOps, Infrastructure as Code, Monitoring & Logging, Containers, and more.