I want to integrate websocket api to my ecs managed websocket api running behind ALB. Only http connections are allowd, so i am getting 426 error as upgrade required. How can i send websocket request from api gateway to ALB?
Related
thank you for reading this question.
what is the way to use AWS API Gateway to proxy communication to a WebSocket server running on EC2?
I tried HTTP/REST and WebSocket with no success.
thank you
We have implemented WebSocket which is running on a ec2 machine and from public ip it is working fine.
We want to map this WebSocket path with API Gateway so that our public ip will not be visible to others and we can run through in the same manner in which we are running our other apis which is based on HTTP protocol.
But the problem is we don’t have any idea to map external WebSocket address with API Gateway.
You can map the websocket endpoint using the http(s) protocol in your api gateway and enable session stickyness in your loadbalancer.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html
I am using AWS API Gateway websocket endpoint and I see there are two endpoints created after deploy. One is https the other is wss. I can use websocket client to connect to my service via the websocket endpoint. I wonder why it creates a https endpoint.
I think this is to use #connections commands in your backend service.
With the https endpoint:
Your backend service can use the following WebSocket connection HTTP requests to send a callback message to a connected client, get connection information, or disconnect the client.
Here's my scenario: I am trying to set up the AWS API Gateway so that all calls to the API Gateway endpoints will be forwarded to an Nginx HTTPS server behind it:
HTTPS HTTPS HTTPS plain HTTP
[Client] ------> {{Internet}} -----> [AWS API Gateway] -----> [HTTPS server] ----------> [Internal web services]
Only the HTTPS server can access the internal web services inside a private network. The HTTPS server itself is publicly accessible on the Internet, as is the AWS API Gateway.
Now, the SSL certificate I installed on the HTTPS server is a private one, signed by a private CA I created.
See my AWS API Gateway config here
When the AWS API Gateway tries to forward an HTTPS request to the HTTPS server, via an HTTPS endpoint URL pointing to the server, the AWS API Gateway gets an error:
"Execution failed due to configuration error: General SSLEngine problem"
Perhaps this is because the AWS API Gateway does not recognize my private CA. If so, how do I import my private CA to the AWS API Gateway for this usage?
Edit: My intent here is that the AWS API Gateway will have to authenticate to the HTTPS server using the API Gateway's client certificates.
You cannot use self-signed certificates with API Gateway. If your API Gateway is only meant to be speaking to your server then take a look at using certbot on your local EC2 instance.
Alternatively if you want to add more security, you could perform the following actions.
Migrate the EC2 instance into a private subnet.
Either import or create a new certificate via ACM.
Create an internal network load balancer with a TLS listener, using the certificate you've got setup in ACM.
Create a VPCLink so that your API Gateway can access your internal NLB.
I have a GraphQL Apollo server running in AWS Fargate (ECS), I'm using API Gateway (HTTP proxy integration) on top. The purpose of that API is to make use of Cognito Authorizer in addition to secure SSL (HTTPS).
This is working fine as far as Graphql HTTP operations are involved (query and mutation)
However Graphql subscriptions are using websockets. The Proxy integration doesn't seem to handle the upgrade to the websocket protocol.
I've tried to define a new websocket API following this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api.html
But nothing seems to work for me. I've tried defining $connect, $disconnect and $default with an HTTP proxy integration to the Apollo server endpoint, but I keep getting:
Error during WebSocket handshake: Unexpected response code: 400
Is it possible to proxy an existing websocket API using Amazon API Gateway? Is HTTP proxy integration the correct integration to use?
Note: The client implementation is fine, as my subscriptions works if I put the direct url to the Apollo server websocket endpoint.