I'm struggling to find a solution that make ALB forward traffic to API Gateway (Ideally private). Below is the flow:
Domain => ALB => API Gateway.
How can we make ALB forward traffic to private API Gateway?
I do not think you can do this reliably. The only way I can think of is to use IP address type in your ALB's target group. This would have to be private IP address of your private API gateway interface endpoint in the VPC.
The problem is that private IP is probably not guaranteed to be static. Thus you should always use DNS name of the gateway, but ALB will not accept the DNS name. It can only take IP address.
So you can try and use the private IP address as target, and if IP changes too much you have to develop custom solution to monitor the IPs and update your ALB target groups.
Related
We have 10 instances which we deployed the app using the AWS ECS and ELB
Due to security reasons the API allows request only through specific IP whitelisted IP addresses.
So we are planning to pass the request through the proxy
How to route an API request go through a proxy
We are using nginx
Any specific way to route an API request go through a proxy will be helful
You won't need NGINX as a proxy for this use-case, I'd propose to consider looking into using AWS NAT Gateways. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Its the perfect place to provide a static IP to all your subnet's outbound traffic.
In order to provide a NAT Gateway with static IP (Elastic IP) for your cluster's outbound traffic. This will allow your different tasks running inside your ECS cluster's private subnets to look like a single requesting entity from an outsider's POV (in your case, the 3rd party API is the outsider). To achieve this, you will have to:
Create 2 route tables (1 for private subnets, 1 for public subnets)
Internet gateway on the public subnet
Elastic IP address
Create a NAT Gateway and attach the elastic IP to it (This will be the IP whitelisted to the 3rd party API)
Ensure that all your tasks are running inside private subnets of the VPC
Add a rule in your route table for your private subnets that redirects outbound 0.0.0.0/0 to the NAT Gateway.
Add a rule in your route table for your public subnets that redirects outbound traffic 0.0.0.0/0 to the internet gateway.
You should consider using NAT Gateway instead. I am assuming you already would have all your containers in a VPC, so you can create a new NAT Gateway within this VPC itself.
You can refer to articles attached below to do this:
https://docs.aws.amazon.com/appstream2/latest/developerguide/add-nat-gateway-existing-vpc.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Note: NAT Gateways have price associated with them.
If needed, you can use the elastic IP provided by NAT Gateways on your lambdas as well.
I am building a webserver with AWS Lambda and I need a public IP address that I can call to request the Lambda function. My users need to put this IP address as an A record into their DNS.
Is it somehow possible, for example, to associate an Elastic IP to a single Lambda function for incoming traffic? Maybe through a load balancer?
For the outgoing traffic I have my NAT and Internet Gateways, which are working fine.
You have 2 choices that can provide this functionality:
API Gateway - This is made for traditional API calls, you will need to create a custom domain mapping to your API within AWS for each domain that will use the API Gateway.
Application Load Balancer - You can use an ALB to have your Lambda as a target for all requests. However, without path based pattern matching be aware that all requests will arrive at the same Lambda.
Both of the above will require that the subdomain is mapped by a CNAME rather than an A Record. This is because both of these domains recycle IP addresses on an infrequent basis.
If you absolutely must have the record resolve to an IP you would need to use an NLB in front of you ALB. The NLB supports a static IP per subnet, the ALB would then become its target through IP mapping and an existing AWS service. If you can use CNAMEs then you do not need to do this.
Is it possible to restrict internet gateway from 0.0.0.0/0 to why own IP address i.e 119.11.111.11/32.
I want to restrict it to my IP address and then have the NAT Gateway to point to my IP address 119.11.122.11/32.
The reason is to make it more secure and to make sure all requests are going to and from my IP address.
I would like to know if anyone has done it and it still works. i have tried on my aws account and it has not worked.
thank you
If you want resources in an Amazon VPC to only be accessible to your own IP address, then you should configure the Security Groups on your resources.
By default, security groups block all incoming traffic. You can add Inbound rules to allow traffic from your IP address on the desired ports.
A security group for a NAT Gateway normally allows:
No inbound traffic
All outbound traffic (so that your private resources can access the Internet)
Hi We have an aws API gateway configured with lambda and now want to integrate with a vendor wherein vendor want us to provide him with a Static IP against the API Gateway that we have. As per my knowledge API gateway serves request through Dynamic Elastic IP which are listed here
Is there a way to achieve this other than putting a forward proxy or NLB.
You cannot get a static IP if you are using a public API Gateway endpoint (Regional or Edge-optimized). The IPs allocated for APIs in any AWS region can be changed at any time and are a very wide range.
However, if you were to use a private API Gateway endpoint, you could use the below set up -
Client --> NLB(public static IP) --> VPC endpoint for API Gateway --> Private API
The execute-api VPC endpoint have a fixed IP address allocated from the VPC CIDR range. Having a NLB as a front-end(with a public static IP), you can add these IP addresses as targets in your NLB config.
You can also use a static IP proxy service such as QuotaGuard. I use that to deal with services that want to whitelist my IP when using dynamic DNS.
I have an application running in an EC2 instance in a private subnet (to add extra security), receiving traffic directly from an internet-facing NLB that is associated to the public subnet.
I have also configured a NAT Gateway in the public subnet so that the private EC2 instance can download whatever needed from the Internet.
I have just come out to the next conclusion:
If I request from the Internet: http://index.html
The private EC2 Instance uses the NAT Gateway to send back the HTTP response, and therefore you are charged for that NAT processing.
https://aws.amazon.com/vpc/pricing/
"Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination"
The Route Table associated to the Private Subnet (where the web/app server is located) has { - local ; 0.0.0.0/0 - NATGateway} If I remove the 0.0.0.0/0 entry, then the HTTP requests to the server do not work. And if I remove the NAT Gateway I get the same issue.
Additionally, when I have the NAT Gateway and the route table to use it from the Private Subnet, I can also see traffic in the monitoring tab of the NAT Gateway when I do a simple HTTP request from the Internet - http:///index.html
Has someone faced the same issue? Is my understanding correct?
Is there any workaround to avoid this? I can just think of the following:
Move the application to a Web Tier (in a public subnet) so that the EC2 Instance has a public IP and therefore it does not need the NAT Gateway to respond to every HTTP request
Create a Web Tier in addition to the Application Tier, so that all traffic goes from the NLB <-> Web Tier <-> App Tier
Create a NAT Instance instead of a NAT Gateway so that you are not charged for that NAT processing.
Thanks!
So, it turns out there is an strange behaviour (bug?) in NLB that requires a default route to something for return traffic to work.
Scenario:
NLB in Public Subnet
NLB Target Group pointing to an instance in a Private Subnet
Sending traffic to the NLB will not give a response.
Add:
NAT Gateway
Add a route in the Private Route Table to point to the NAT Gateway
This works.
However, it doesn't actually use the NAT Gateway!
Instead of adding a NAT Gateway, you can instead create a default route to another instance, for example:
0.0.0.0/0 -> another instance
Then, connecting to the NLB works!
Behind the scenes, the VPC network detects that traffic coming out of the instance is in response to a request that came via the NLB, and traffic will be routed out the NLB.
HOWEVER, it only works if there is a valid default route in the route table. The route isn't used -- the network overrides it, so it doesn't matter what it points to. However, it must point to a valid resource. It doesn't work if it points to an ENI that isn't attached to anything. In my tests, it also doesn't seem to work if you point it back to the same instance. But, I pointed it to another instance and it worked just fine.
AWS Support agrees that this is not the best behaviour, but it's how things have to be configured for the moment.
Bottom line: It does not require a NAT Gateway. It just needs a valid default route that will be ignored when routing return traffic.