I'm searching for a way to expose service routes to Api Gateway automatically. The flow should be the following:
New service in EKS is created
Two proxy resources added to api
gateway /public/{service-name} and /private/{service-name}
Integration with new service added to created resources (perhaps we
would have ALB per service, so it resource integration would be done
through ALB)
Api gateway redeployed
So far, I've come up with the solution using a lambda function which will listen to cloudtrail ALB creation event and make calls to API gateway to create new resources and publish them
but I feel that there should be something more AWS native that works out of the box.
Related
I have a use case where i am supposed to connect my client to apigateway using websockets. I have seen the API gateway can be configured with WAF rules in case of a REST api but i am not able to see the websockets API gateway under the list of resources that can be added to WAF protected resource in AWS console. Does it mean that websocket connections to API gateway cannot be protected using WAF ?
As of now, WAF cannot be used with a WebSocket API in Amazon API Gateway. However, by configuring authorizer and throttling, you can protect your API.
Reference: https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-protect.html
I have a slack bot which is running on a EC2 in a VPC.
The VPC/ API gateway is supposed to only be exposed to slack (for slack event listening), Its not supposed to be publicly accessible.
How would I filter based on slack's DNS? https://api.slack.com/robots
I saw that API gateway has resource policies however they are only IP\ AWS account\ VPC based.
Any other AWS services that can help?
If the only reason you're exposing it to the web is for Slack to access it, then you could try using Socket Mode, which pushes all the Slack traffic to websockets, meaning you don't need a public endpoint anymore.
We have 2 internal service in a single VPC that is open to internet via
APIgateway(Regional)
Vpc link.
For green blue deployment APIGateway is only fix point for us.
Now one of the service have to talk to other service, and we do that via hitting APIgateway, and because the other service is within a VPC we have to use proxy to connect to that APIgateway(Regional). But we still need a Regional APIgateway as we have other service outside the VPC.
Service A -> Proxy -> Regional API Gateway of Service B
Now the question is can we have a Private APIgateway also Regional APIgateway working in parallel and hit the same ECS service?
In this case we will not have to go via proxy at all.
A VPCLink can be reused across numerous API Gateway endpoints, this will work as long as the API Gateway and Network Load Balancer are within the same account.
The Network Load Balancer and API must be owned by the same AWS account.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
I need to communicate elasticache(Redis engine) using AWS API gateway. I successfully connected the ElastiCache from lambda function in the same VPC. I cant connect from outside VPC.
So I tried to create an API gateway, and select integration type as AWS Service Proxy and AWS Service as ElastiCache.
This is the screenshot for creating an API gateway
But I don't know, how to test this created API for executing Redis commands.
eg: SET A FOO
is it possible to communicate ElastiCache using API gateway?
API Gateway service proxy is for proxying the AWS API, not the Redis API, so that's not going to work for you. You will have to create a Lambda function and use API Gateway Lambda integration.