We have 10 instances which we deployed the app using the AWS ECS and ELB
Due to security reasons the API allows request only through specific IP whitelisted IP addresses.
So we are planning to pass the request through the proxy
How to route an API request go through a proxy
We are using nginx
Any specific way to route an API request go through a proxy will be helful
You won't need NGINX as a proxy for this use-case, I'd propose to consider looking into using AWS NAT Gateways. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Its the perfect place to provide a static IP to all your subnet's outbound traffic.
In order to provide a NAT Gateway with static IP (Elastic IP) for your cluster's outbound traffic. This will allow your different tasks running inside your ECS cluster's private subnets to look like a single requesting entity from an outsider's POV (in your case, the 3rd party API is the outsider). To achieve this, you will have to:
Create 2 route tables (1 for private subnets, 1 for public subnets)
Internet gateway on the public subnet
Elastic IP address
Create a NAT Gateway and attach the elastic IP to it (This will be the IP whitelisted to the 3rd party API)
Ensure that all your tasks are running inside private subnets of the VPC
Add a rule in your route table for your private subnets that redirects outbound 0.0.0.0/0 to the NAT Gateway.
Add a rule in your route table for your public subnets that redirects outbound traffic 0.0.0.0/0 to the internet gateway.
You should consider using NAT Gateway instead. I am assuming you already would have all your containers in a VPC, so you can create a new NAT Gateway within this VPC itself.
You can refer to articles attached below to do this:
https://docs.aws.amazon.com/appstream2/latest/developerguide/add-nat-gateway-existing-vpc.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Note: NAT Gateways have price associated with them.
If needed, you can use the elastic IP provided by NAT Gateways on your lambdas as well.
Related
Can I download and install patches from Internet using Route53, without having NAT Gateway and IGW?
I think you might be a little confused regarding what Route53 is:
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service.
Source
So, it has nothing to do with downloading patches. You can use it to handle your domains, and it can work nicely with several AWS services.
Now, regarding your question. If you want an EC2 instance to access the Internet and download its security patches, you will need an Internet Gateway configured on the VPC of the instance. On the other hand, the NAT Gateway is only necessary if your instance is configured on a private subnet. A private subnet doesn't have direct access to the Internet Gateway, so you need to provide a NAT Gateway to allow your instances to reach it. EC2 instances in public subnets can be assigned public IPs. An instance with a Public IP can access the Internet directly through the Internet Gateway without needing a NAT Gateway.
Another resource you are going to have to configure is Route Tables. Each subnet is assigned to a single Route Table. Once attached, it will use the routes define on the Route Table to handle their instances traffic. A Route Table that handles private subnets will have a default route pointing to a NAT Gateway. And a public Route Table will have a default route pointing directly to the Internet Gateway. Bear in mind that the NAT Gateway should always be instantiated on public subnets.
Take a look at the following documentation site for more information:
VPC Internet Gateway
VPC Subnet
VPC Route Tables
Route53 is a DNS service and its function is DNS resolution. You need NAT Gateway for outbound internet access from private subnet
I have a VPC with a public subnet containing a NAT gateway and a private subnet containing ec2 instances running my application.
A public ALB provides inbound internet access to the application running in the private subnets.
I also want to allow access to this ALB over a site-to-site VPN using a customer gateway and transit gateway.
What is the best pattern to do this that avoids duplicating the ALB and it’s configuration (i.e avoid having a public and internal ALB)? Is it possible to run a single private ALB that the VPN users will connect to directly and route public internet traffic to it from a public NLB?
You should be able to use transit gateway routing tables to accomplish this. Create two TGW attachment points; one for your VPN and one for the subnet where your ALB resides. Now, disassociate those two attachment points from the main TGW routing table. Create two new TGW routing tables:
one that points 0.0.0.0/0 to your ALB subnet attachment and associate that to your VPN TGW attachment (enable DNS resolution)
one that points 0.0.0.0/0 to your VPN subnet attachment and associate that to your ALB subnet TGW attachment (enable DNS resolution)
In this way any traffic coming in from your VPN will land in your private ALB subnet and resolve to the ALB private IP address. Any traffic leaving your ALB destine to a non-local IP address (the return traffic) will be routed to your VPN TGW attachment.
Although I have not tested your specific scenario, I was able to use this method to route TGW traffic to and from GWLB endpoints.
You can leave your routes for public internet traffic to your ALB as they are (from your public NLB). Now you have two ways customers can reach the same ALB; one public and one private.
You can use AWS API Gateway private integration Pattern using VPC link to provide public access to your service, and host your service behind internal application load balancer like the following:
Also you may need to consider dns resolution between your AWS and on premises networks.
Say I have an ec2 in a private subnet with access to the internet through a NAT Gateway and I have VPC endpoints (PrivateLink) for AWS services like DynamoDB or SNS. If my ec2 instance needs to interact with those services, it will use the private link or the NAT Gateway? In other words, the traffic will go on the public internet or will stay inside the VPC?
In other words, the traffic will go on the public internet or will stay inside the VPC?
It will go to interface endpoint. And the reason is that aws chooses more specific (longest prefix match) route when there is more than one choice where to direct traffic. So if VPC has to decide between 0.0.0.0/0 for NAT and interface endpoint address, interface endpoint will be prioritized.
You can easily check it yourself. Place interface endpoint in your private subnet which has route to NAT. Then black all incoming traffic to the interface endpoint using its security group. What you should see is that you are unable to access the service of the interface endpoint, even though there is NAT gateway.
When I configure an AWS Gateway VPC endpoint, a route table entry is created that points to the Gateway. Here, Gateway can be thought of performing the routing to AWS service (over private network).
However, for an AWS Inteface VPC endpoint, all that is visible is a Network interface that has a private IP address of the subnet. By default, a private IP can send traffic within the subnet or entire VPC provided Security Group and NACL allows the traffic. & it appears in this case there is no Route table entry to a Gateway or a Router for allowing traffic outside VPC.
How / Where is the interface routing the traffic to i.e. How does traffic leave the customer VPC?
Of course I understand that the traffic finally reaches the intended AWS service over private network but here I am trying to find out where is the Gateway or Router? Does AWS hide this implementation?
I cannot get my head around the fact that a simple Network Interface can accept traffic and route it to a service all by itself i.e. performing routing by itself? Clearly, in this case the traffic appears not flowing through the VPC router or another Gateway device.
I am aware this might be an AWS confidential implementation but any thoughts / idea on how they might have designed this feature?
It doesn't provide routing at all, by default a VPC interface endpoint when created will create an ENI per subnet in the VPC for you. It will also provide you a DNS name per each AZ and a global name that you can use within your applications.
In addition it supports the ability to have the AWS service domain name for the VPC interface endpoint be resolvable to the private IPs of the endpoint. As long as your VPC has DNS enabled it will first check the VPC private DNS resolver and then resolve it to the private IP rather than the public one.
This is done by adding an additional private hosted zone to your VPC which resolves service domains in your region such as ec2.us-east-1.amazonaws.com.
From the AWS side this is just an ENI created in your AWS VPC that is connected to one of AWS internal VPCs. It's actually possible to implement this for your own services too to share with another organisations VPCs, this is implemented using AWS PrivateLink.
For more information take a look at the Private DNS for interface endpoints page.
I would like to create a lambda(vpc) which would access resources in vpc and make a request to services(REST API) via public application load balancer. I found out that vpc end point is better solution than creating a nat gateway.
I have created a vpc endpoint for elasticloadbalancing(by following steps at https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) and given full access in the policy. I could not find how to access it from the lambda, what would be the URL to make the request?
Edit:
Thanks to John for the info that vpc endpoint is used to connect to ELB API. So Vpc endpoint would not solve our issue.
We have our infra in vpc which includes database(accessible within vpc only) and application servers running behind the ELB. For certain tasks we want to run lambda which will read database(for this reason lambda has to be inside vpc) and make API calls to our application using ELB. Since ELB is accessible from public dns only, lambda is not able to connect to ELB.
I have read that setting up NAT gateway is a solution. Are there other is simpler ways?
Yes, a NAT Gateway would allow the traffic from a private subnet to go out of the VPC and come back in to the Load Balancer's public IP addresses (via its Public DNS Name).
Alternatively, you could create an additional Internal Load Balancer that could accept traffic from within the VPC and send it to the Amazon EC2 instances.