AWS API Gateway Access Private Subnet

amazon-web-services api-gateway aws-vpc
10,008

Solution 1

Are the services you have running on EC2 offering an API? API Gateway is meant to proxy API requests. It's commonly used in conjunction with Lambda to allow Lambda functions to process HTTP requests. An API Gateway is not necessary for your service. You can simply use an Application Load Balancer (ALB) or an Elastic Load Balancer (ELB). They can reside on a public subnet while your service remains in the private subnet. You can use security groups and VPC routing tables to allow communication from your public ALB/ELB to your private EC2 service.

Solution 2

With Ben’s help here is the answer Introducing Amazon API Gateway Private Endpoints

Inbound: Accessing services hosted in Private Subnet via API Gateway

Endpoint integrations inside a private VPC. With this capability, you can now have your backend running on EC2 be private inside your VPC without the need for a publicly accessible IP address or load balancer.

So essentially API Gateway can access published endpoints, even in Private Subnets.

OutBound: Accessing externally hosted services from Private Subnet via API Gateway

API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.

So you simply need to create a VPC endpoint in the Pvt Subnet for the API Gateway. VPC End Point- API Gateway

Share:
10,008
Sam-T
Author by

Sam-T

Updated on June 11, 2022

Comments

  • Sam-T
    Sam-T almost 2 years

    I have Public and Pvt Subnets in my VPC. I have some services running on EC2 in Pvt subnet, that needs to be accessed by external/mobile resources. How do I do this- is VPCLink and NLB the way to do it, or any other way, create some access point in Public subnet (??). Lambda seems to be the answer (for almost everything in AWS now) - not sure even how that access works for resources in Pvt Subnet.

    Also the same Pvt Subnet has access external resources (outside of AWS) - how do I do this using the API Gateway?

    Not quite understanding how the API-Gateway (and Lambda) is situated vis-a-vis - VPC and subnets- and how the network access control functions- can they access Pvt subnets directly or not. The documentation is somewhat silent on this, only talks about IAM - if someone can explain this. Found this on Lambda: AWS Lambda: How to setup a NAT gateway for a lambda function with VPC access.

    The documentation says "API Gateway allows you to securely connect ... publicly addressable web services hosted inside or outside of AWS". My resources in Pvt subnet are not publicly addressable - I suppose.

    Thanks

  • Sam-T
    Sam-T over 5 years
    Ben - yeah I can expose the service as an "API" or REST API. I would prefer to use API Gateway for access control etc. So are you saying only way to expose these "private" services is via a Public ALB and the API Gateway can not access them otherwise. So on the out going side my Pvt EC2 can not access the API Gateway directly unless I use NAT or something? I am totally unclear how VPC Link works - or if it becomes applicable in this scenario at least on the inbound side (?).
  • Ben Whaley
    Ben Whaley over 5 years
    When you create an API in API Gateway it will be publicly accessible. You can set the endpoint in API gateway to your EC2 in a private subnet. No ELB needed unless you want redundancy or need more than once instance.
  • Sam-T
    Sam-T over 5 years
    Ok so when my "Private" end point becomes public via the API Gateway, so probably that answers my issue on I/B side. I actually do have a ALB fronting my service(s) in Pvt Subnet- that takes care of redundancy etc. Does this ALB have to be Public? So what do I have to do for Outbound- does the same logic apply.
  • Ben Whaley
    Ben Whaley over 5 years
    The ALB can be private and the API gateway will be able to receive inbound traffic and route it to your ALB. If your API service needs outbound access (are you sure it does?), attach a NAT gateway to your private subnet and set up a route so your EC2 instance can reach the Internet. If your service only needs to reply to requests and doesn't need Internet access for any other reason, you might not need to do this. Also, you might find this blog post helpful: aws.amazon.com/blogs/compute/…
  • Sam-T
    Sam-T over 5 years
    Ben - very good link, clarified almost everything. So for Inbound essentially I have to do nothing - API Gateway Supports Endpoint Integrations with Private VPCs. My Outbound scenario is my Pvt instances need to access externally hosted services (not response) - for this I can use/create AWS PrivateLink interface VPC endpoints for the API Gateway, and access those services(?)
  • Adrian Baker
    Adrian Baker almost 5 years
    Unfortunately it's still possible to bypass API Gateway auth from anything else running in the VPC, as there is no way to use a security group to restrict access to just API Gateway.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Passing event from API gateway to Lambda
Placing an AWS Lambda in a public subnet
How to setup IAM policy for AWS Lambda in VPC to resolve error "You are not authorized to perform: CreateNetworkInterface."
AWS Lambda Task timed out after 6.00 seconds
How to connect AWS DynamoDb directly with dart
How to keep WebSocket connection Alive - Flutter AWS?
flutter to AWS S3 using amplify <asynchronous suspension> error
How can I host my Flutter web app onto AWS Amplify
AWS Transcribe Streaming BadRequestException: "Could not decode the audio stream..."
How to import a AWS Cognito User Pool in a Flutter Project?