I have a internet facing NLB and want to integrate it with API Gateway. Searching over posts and aws docs, and they all just provide only one way to use VPC Links with private integration. However, this introduce the limitation where both API Gateway, VPC Links and NLB have to exist in one single account. Trying to get some help to see if it is possibly to use other type of integration like HTTP (I also notice that Elastic Load Balancing is one of the AWS Service integration options, but not sure if it is only for ALB).
Many thanks
Related
I'm trying to expose an HTTP server to the internet. The server runs on a Fargate container inside a dedicated VPC. I could just expose it through a public Application Load Balancer (ALB) if it wasn't for the fact that requests to this server must be authenticated using IAM.
My approach was to put an AWS Gateway v1 in front of the service's load balancer. This Gateway verifies authentication through IAM, then relays the request to a Network Load Balancer (NLB) using a VPC Link. The NLB in turn routes it to the server itself.
Here's the problem: Api Gateway v1 does not support VPC Links to ALBs, only NLBs, but NLBs use TCP, while I'm exposing an HTTP server. This way I can't relay paths and other HTTP features through the Network Load Balancer.
Api Gateway v2 does support VPC Links to ALBs, but it does not have a way to authenticate using IAM.
Is there any way to work around this problem?
I am not sure why you think api gtw 2 does not allow IAM authentication or where you got that from?
Can you put your cloudformation here or point to a git so I can test it with a policy?
Can you put the link where it says that API GTW 2 does not suport IAM Authorization?
The documentation clearly mentions that you can use IAM Authorisers?
https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/doc-history.html
Here is a blog that might help?
https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
You could go the long way and use Cognito Pool, link that to you API GTW, if what you say is true.
https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/
hope this helps, I'd be curious of your Cloud Formation if you are willing to share.
I've been searching on google and keep getting referred to the VPC documentation https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity but I don't think this will solve my problem. I'm trying to limit the IP address accessing my webhook function on GCP and I need to use API gateway (Apigee isn't an option at the moment for me). Any advice would be great!
If API Gateway isn't requirement, I propose you this solution:
Update the ingress control of your function to set it internal_and_cloud_load_balancing to allow only traffic from your VPCs and the load balancers
Then create a HTTPS external load balancer with a serverless NEG that point to your Cloud Functions
Add Cloud Armor policies on your Load Balancer to filter IP sources.
I'd like to front my Cloud Run hosted API with API gateway, and only allow access to the Cloud Run URL from API Gateway.
I currently have an API deployed to Cloud Run with "public" ingress and authorization enabled. This works, however I'm curious if I can change my ingress model on Cloud Run to "internal" in order to entirely avoid routing any internet traffic to my Cloud Run container.
I know API Gateway is in Beta, and it seems like some aspects of internal ingress are Beta as well -- however I'm curious if there is a way to make this work.
Per the ingress docs, it seems like if I can somehow make my API Gateway request come from a VPC network, this setup should work, however I am not able to find a way to make this happen on the API gateway side.
When you deploy a Cloud Run service with internal only ingress, the requests need to come from the VPC SC or from your VPC.
With API Gateway, you can't plug your VPC or use the service in VPC SC (not a supported service), so you can't, yet.
The team is aware of this issue and should work on it. I don't know the priority and the ETA.
whats the standard implementation i should make to implement an AWS API Gateway entrypoint with an ECS microservices structure?
I been trying to do it, but i get an ALB that is public and an API Gateway pointing to it, the problem is that the authentication is handled by API Gateway so the ALB endpoint is unsecure.
Thanks
This is pretty standard and well documented. Have you checked the articles published by AWS? I think these articles would help
Normally you would have a private Load Balancer and need to setup a "private integration" between API Gateway and Load Balancer
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.