I have configured the API Gateway with a lambda function. The lambda function is in a VPC with private subnets. I have also attached an internet gateway to the VPC with a route table routing all traffic to the internet gateway. From what I understand, I still shouldn't be able to access any of the API endpoints, as the lambda function is in a private subnet and needs a NAT gateway between the internet gateway and private subnets.
However, with the security group assigned to the lambda function allowing incoming traffic, I am able to access all endpoints.
API Gateways are used for Inbound communication, whereas NAT Gateway is used for outbound communication.
Hence for inbound traffic, once you configure the API Gateway routing to lambda, with appropriate security policy, you can access the api.
For outbound communication, your Private service needs to access NAT gateway which will route traffic to Internet gateway and further out to the internet.
Related
Say I have an ec2 in a private subnet with access to the internet through a NAT Gateway and I have VPC endpoints (PrivateLink) for AWS services like DynamoDB or SNS. If my ec2 instance needs to interact with those services, it will use the private link or the NAT Gateway? In other words, the traffic will go on the public internet or will stay inside the VPC?
In other words, the traffic will go on the public internet or will stay inside the VPC?
It will go to interface endpoint. And the reason is that aws chooses more specific (longest prefix match) route when there is more than one choice where to direct traffic. So if VPC has to decide between 0.0.0.0/0 for NAT and interface endpoint address, interface endpoint will be prioritized.
You can easily check it yourself. Place interface endpoint in your private subnet which has route to NAT. Then black all incoming traffic to the interface endpoint using its security group. What you should see is that you are unable to access the service of the interface endpoint, even though there is NAT gateway.
I am now trying to configure a route table for a private subnet, and I config an AWS Lambda function with these subnets. When I use an ENI, I will receive a ssl error (violation of protocol) when I was trying to make an API call through Internet (like a call to the ServiceNow API). When I use NAT, it works.
I investigate for a while, but still confused about when should we use ENI (or nat)? What is the difference?
When an AWS Lambda function is not connected to a VPC, it has direct access to the Internet.
When an AWS Lambda function is connected to a VPC, and requires access to the Internet, then the configuration should be:
Associate the Lambda function with a private subnet in the VPC
Create a NAT Gateway in a public subnet
Configure the Route Table for the private subnet to route 0.0.0.0/0 traffic to the NAT Gateway
You probably received the error because the Lambda function was unable to reach the endpoint on the Internet. I don't know why you specifically received an "SSL Error".
An Elastic Network Interface (ENI) is the virtual network connection between a resource (eg an AWS Lambda function) and a VPC. Think of it like a 'network card' that connects it to the network.
A NAT Gateway is a service that does IP address translation. It accepts the local traffic and sends it to the Internet, also passing back responses. It enables Internet access from private subnets while preventing inbound access to the private subnet.
Interface endpoints stay within their own VPC, and typically gateway endpoints (e.g., S3) would as well. However, we have two accounts connected to the same Transit Gateway (TGW), which essentially serves as a hub. In this case, can an S3 gateway endpoint potentially transfer S3 data outside of its own VPC if there is a route to the TGW in the route table that the endpoint is associated with?
No, a gateway endpoint cannot be used outside of a VPC.
The route tables of a VPC are used only to make routing decisions for packets sourced by instances on the subnets associated with the route table. No other traffic, such as traffic from the gateway endpoint or packets entering the VPC from the transit gateway, uses the VPC route tables. VPC never does edge-to-edge routing.
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations
Yes. it is possible. But check, if you want to route the traffic to and from other availability zone, you have to enable that availability zone to be used by the transit gateway to route traffic to resources in the VPC subnets after attaching the VPC /VPN/Direct connect GWs
I want to implement the scenario where AWS VPC I want connectivity to both Direct Connect and IGW, so some application I can access from data center and access aws resources from internet
Yes. You can provision an Internet Gateway on the VPC to provide direct access to the Internet, and you can also provision a Virtual Private Gateway that connects to Direct Connect for connectivity to your on-premises or data center networks.
The Route Table configuration will determine which traffic is routed to each gateway.
If your only need for using an Internet Gateway is to "access aws resources from internet" (rather than making your services public), then you should put your resources in private subnets and place a NAT Gateway in a public subnet. This way, your AWS resources will have outbound Internet connectivity via the NAT Gateway without being exposed to the Internet.
I have Public and Pvt Subnets in my VPC. I have some services running on EC2 in Pvt subnet, that needs to be accessed by external/mobile resources. How do I do this- is VPCLink and NLB the way to do it, or any other way, create some access point in Public subnet (??). Lambda seems to be the answer (for almost everything in AWS now) - not sure even how that access works for resources in Pvt Subnet.
Also the same Pvt Subnet has access external resources (outside of AWS) - how do I do this using the API Gateway?
Not quite understanding how the API-Gateway (and Lambda) is situated vis-a-vis - VPC and subnets- and how the network access control functions- can they access Pvt subnets directly or not. The documentation is somewhat silent on this, only talks about IAM - if someone can explain this. Found this on Lambda: AWS Lambda: How to setup a NAT gateway for a lambda function with VPC access.
The documentation says "API Gateway allows you to securely connect ... publicly addressable web services hosted inside or outside of AWS". My resources in Pvt subnet are not publicly addressable - I suppose.
Thanks
Are the services you have running on EC2 offering an API? API Gateway is meant to proxy API requests. It's commonly used in conjunction with Lambda to allow Lambda functions to process HTTP requests. An API Gateway is not necessary for your service. You can simply use an Application Load Balancer (ALB) or an Elastic Load Balancer (ELB). They can reside on a public subnet while your service remains in the private subnet. You can use security groups and VPC routing tables to allow communication from your public ALB/ELB to your private EC2 service.
With Ben’s help here is the answer
Introducing Amazon API Gateway Private Endpoints
Inbound: Accessing services hosted in Private Subnet via API Gateway
Endpoint integrations inside a private VPC. With this capability, you can now have your backend running on EC2 be private inside your VPC without the need for a publicly accessible IP address or load balancer.
So essentially API Gateway can access published endpoints, even in Private Subnets.
OutBound: Accessing externally hosted services from Private Subnet via API Gateway
API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. When using private DNS, all traffic to that service is directed to the interface endpoint instead of through a default route, such as through a NAT gateway or public IP address.
So you simply need to create a VPC endpoint in the Pvt Subnet for the API Gateway.