Blogs

Connecting to a private VPC from AWS API Gateway

Purpose of the article: This article gives the details on how we can connect to private VPC/EC2 instances(which are in private VPC) from AWS API Gateway.

Intended Audience: AWS Cloud Admins, Cloud Integration developers and, DevOps.

Keywords: AWS API Gateway to Private ELB(EC2), which are in a VPC.

A Typical deployment architecture for smaller start-ups is to have API Gateway at the front.

When a request raises, this API Gateway passes the request to ELB, which in turn distributes them to a bunch of EC2 instances.

These ELB’s and EC2’s are typically inside a VPC. AWS API Gateway can use ELB as the HTTP endpoint for integration, but the ELB needs to expose to the internet.

There is a concern when all the requests are made directly to the ELB, bypassing rules configured in AWS API Gateway.

We can allow only requests originating from AWS API Gateway on our application by configuring client certificates, preventing DDOS attacks on the ELB.

Here is an ideal solution to pass a request from AWS API Gateway to Private ELB(EC2) in a VPC.  We can achieve this by using a VPC Link with NLB (Network Load Balancer) instead of exposing our ELB (Elastic Load Balancer) to the outside world (Internet)

The VPC Link is the bridge between the AWS API Gateway and the NLB. NLB Works at TCP Layer, and it cannot terminate the SSL.

As per the official documentation of AWS, here are the steps to be followed to create a Network Load Balancer (NLB)

For Creating a Network Load Balancer, please refer to the below link.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html

After creating NLB, configure HTTP health checks for the Target Group; this should do while creating the NLB itself. We get the TCP health checks if we are creating/modifying it.

The NLB should have inbound permissions to the EC2’s (in their Security Groups) for port 80. Since an NLB does not get a security group (but does have fixed IPs), these IPs will be added directly to the Security Group for the EC2’s. The IPs for the NLB’s are not very evident; see here on how to find these:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups.

Creating a VPC Link

You can navigate to the API Gateway console and choose the Target NLB that we have created in the drop-down, and then you need to take the ID of the VPC Link.

Below is the reference screenshot for Creating an NLB in the VPC Link.

After the Creation of the VPC Link, we can find an ID of the VPC Link.

Creation of AWS API Gateway(REST-API)

Create a new API of type REST protocol in AWS API Gateway

1. Create Resource from the Actions drop-down menu. In the New Child Resource pane, select Configure as a proxy resource option to create a proxy resource. Click on Create Resource.

2. Choose Create Method of a resource just created from the Action drop-down menu.

3. Choose Method (GET, POST, PATCH, and DELETE) from the HTTP method drop-down list and then choose the checkmark icon to save the choice.

4. Configure the VPC Link as the Integration. Chose VPC Link as the Integration Type

5. Choose Use Proxy Integration.

6. From the VPC Link drop-down list, choose stage Variables and write as ‘${stageVariables.VPCLink}’ as shown below.

7. Type http://${stageVariables.VPCNLB}/{proxy} for Endpoint URL. It used to set the Host header of the integration request. Now define the VPCLINK and VPCNLB stage variable after deploying the API to a stage.

8. Below is the reference for the Configuration, save it and deploy the Gateway by clicking on the Deploy API in Actions drop-down.

9. After deploying it to a stage, now you can add stage variables of VPCLINK and VPCNLB, as shown in the below screenshot.

There are advantages in using this solution; we can log each request by enabling Logging; be found in AWS Cloud WatchMethod Throttling can achieve. It is secured by using API Keys or by using custom authorizers at the Method Request level.This solution is cost-effective.

References / Sources of the information referred:  

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html

Which MOURI Tech service, this article relates to-

https://www.mouritech.com/services/cloud-infrastructure-computing-services

Contact Details:
Sai Manoj Karnatakapu
Team Lead, Cloud Solutions – Digital Transformation.
MOURI Tech

Leave A Comment

Related Post

Purpose to Contact :
Purpose to Contact :
Purpose to Contact :

Purpose to Contact :
Purpose to Contact :
Purpose to Contact :

Purpose to Contact :