I have a public API gateway set up, I want to forward the requests from API Gateway to a private ALB in the VPC. On AWS Console, for API Gateway VPC link setup I could only select an NLB in the VPC.
Is there a reason why we can only route to NLB and not to ALB?
Is there a way I can route to private ALB from the API Gateway?
Currently AWS only supports connecting to NLB for VPC link integrations. They have a feature request in place to enable support for ALB as well. For now, you can do -
Public API --> VPC Link --> NLB --> ALB
In the target groups of the NLB, add the private IPs of the ALB. This way you can reap benefits of the NLB (TCP layer) and ALB (HTTPS).
Using static IP addresses for Application Load Balancers
The selected answer is outdated. It is possible to have API Gateway integrate, thorugh http, with an internal facing ALB by using VPC Link and private resource integration.
For step by step details, see my answer on another question: https://stackoverflow.com/a/67413951/2948212
edit: I see I was confusing this post with another one... I believe my answer still adds value though, so I am leaving it (I thought this specified REST API Gateways and not HTTP API Gateways, but it does not).
Answer
While #diegosasw's answer is valid and useful, it is for AWS HTTP API Gateways, not AWS REST API Gateways.
With that being said, they are correct in saying it is possible! Please see the following AWS documentation regarding how to accomplish this: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-application-load-balancers/
Please note one particular downside of AWS's documented approach: it requires a public ALB. Of course this is not ideal, though one can still harden their ALB so that it only accepts traffic originating from the REST API Gateway. If this is not acceptable for the existing use case, then #Suraj Bhatia's answer above must be followed (for REST API integrations, at least). If HTTP Gateways are acceptable, then #diegosasw's answer is the better approach to take due to it being simpler to manage and still allowing for a private ALB 🙂
For prosperity, AWS's documentation states the following:
Note: The following procedure assumes two things:
You have access to a public Application Load Balancer and its DNS
name. You have an API Gateway REST API resource with an HTTP method.
In the API Gateway console, choose the API you want to integrate with the Application Load Balancer.
In the Resources pane, for Methods, choose the HTTP method that your API uses.
Choose Integration Request.
In the Integration Request pane, for Integration Type, choose HTTP.
Note: To pass the entire API request and its parameters to the backend
Application Load Balancer, create one of the following instead: An
HTTP proxy integration
-or- An HTTP custom integration
For more information, see Set up HTTP integrations in API Gateway.
In the Endpoint URL field, enter either the Application Load Balancer's default DNS name or custom DNS name. Then, add the
configured protocol of its listener. For example, an Application Load
Balancer that's configured with an HTTPS listener on port 8080
requires the following endpoint URL format: https://domain-name:8080/
Important: Make sure that you create an HTTP listener or HTTPS
listener for the Application Load Balancer using the port and listener
rules of your choice. For more information, see Listeners for your
Application Load Balancers. For an Application Load Balancer
configured with an HTTPS listener, the associated certificate must be
issued by an API Gateway-supported certificate authority. If you have
to use a certificate that's self-signed or issued by a private
certificate authority, then set insecureSkipVerification to true in
the integration's tlsConfig.
Choose Save.
Deploy the API.
Related
I've been wasting about 12 hours going in circles in what seems like this:
I am trying to just make a simple static landing page in lambda and hook the root of a domain to it.
The landing page works, but api gateway didn't because AWS doesn't seem to set permissions properly by default ("internal server error" with API gateway and lambda on AWS) but now the gateway link works.
So the next steps were the following:
add a custom domain name in the api gateway
add the api mapping in the custom domain name
in route 53, create a wildcard certificate with *.domain.com and domain.com
create an A record that points to the api gateway with domain.com
create a CNAME record that points to the A record
and I get an error 403 with absolutely nothing in the log. I log both 'default' and '$default' stages in the api gateway.
I read https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/ which is all about looking at what's in the logs...
and I find the doc is both everywhere and nowhere because it's built as chunks of 'do this' and 'do that' without ever painting a whole picture of how each piece is connected to the other, or any graph with the hierarchy of services, etc. Reminds me of code that works only when you follow the example documented and breaks otherwise.
I'm sure I'm doing something wrong, but given the lack of logs and lack of cohesive documentation, I have no idea about the problem.
Not to mention that http doesn't even connect, just https.
Can anyone outline the steps needed to achieve this? essentially: [http|https]://(www).domain.com -> one lambda function
You cannot use API Gateway for an HTTP request; it only supports HTTPS.
From the Amazon API Gateway FAQs (emphasis mine):
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
You can use CloudFront to automatically redirect HTTP to HTTPS. How do I set up API Gateway with my own CloudFront distribution? provides a pretty simple walkthrough of connecting an API Gateway to CloudFront (you can skip the API Gateway portion and use the one you created). The important thing you'll need to do that is not in that document is to select Redirect HTTP to HTTPS.
If you truly need HTTP traffic you're probably going to need to go with an ALB.
Is there a native option to setup a static IP address for a google cloud API Gateway? As far as I researched, looks like I have to setup a cloud load balancer in front of the API Gateway and then use the static IP of the load balancer. I am not sure how to do this. My goal is to only give access to my API gateway via IP address? I am looking for any documentation/articles on this regard. Thanks in advance.
I don't know and don't understand your requirement, but you can achieve this with a trick with HTTPS load balancer.
Create an external HTTPS load balancer. Use HTTP frontend (so not secure/encrypted) else you will have certificate's checks issues if you use HTTPS with a certificate and if you hit the IP.
Create an internet network endpoint group that points to your API Gateway URL
If it doesn't work, add a header in your backend service named host and with the API gateway base URL as value (without the https:// prefix)
I don't like this design because you add a useless layer (and thus an additional (and useless) potential point of failure) and you will be charge for the load balancer (about $15 per month)
I have setted up an API Gateway in GCP and now I'm trying to configure GCP's Load Balancing in front of the gateway. In order to do this, what I've done is:
Setted up a internet NEG with port 443 as default and the domain name to the gateway's url (provided by api gateway)
Created a Load Balancer with a backend service associated with the NEG and a global frontend with HTTPS protocol, a static IP address and a managed certificate
Created an A record and in Cloudflare pointed it to the Load Balancer's IP
After setting it up, I try to access the load balancer from within the frontend IP address but I'm getting a 404
Did I miss any step in the configuration of the service?
Under the hood, API Gateway is hosted on Cloud Run like platform. The same characteristics are enforced, included the routing mode.
I wrote an unrelated article on Internet NEG with Cloud Run, but I'm sure that the solution to add a "custom header" in your internet NEG backend can solve your issue.
Have a try and let me know.
I have a private API Gateway stage with an associated VPC endpoint, and I have already followed the instructions here: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/
on how to connect to my API from inside the VPC.
Using the Host/x-apigw-api-id works as expected, but I have some services that are third-party and I cannot add those headers to make them connect.
Is there any way to connect to an endpoint-specific hostname WITHOUT either Host or x-apigw-api-id header?
e.g.
(current) curl "https://vpc-endpoint-specific-hostname/route/" -H 'x-apigw-api-id: '
(desired) curl "https://.vpc-endpoint-specific-hostname/route/" (note no headers)
I know what the documents say, which is to use either of the two headers Host/x-apigw-api-id but I cannot add those headers for some of my services.
if you enable private DNS, you can access the private API directly using this url
https://{restapi-id}.execute-api.{region}.amazonaws.com/{stage}
you can get read more here
Even If you don’t have Private DNS enabled, you can still reach the Private API Gateway by using custom domains (which are technically not supported by Private API Gateways), we can ‘trick’ the VPC endpoint into understanding where to send traffic, without custom Host / x-apigw-api-id headers.
Steps:
Create an internal-only Application Load Balancer
The ALB needs to point to the IP addresses of the ENIs for the Interface VPC Endpoint - API Gateway (Steps to Create Interface VPC endpoint - API Gateway)
Make sure that you have a DNS entry - example.com(in Route 53 or any other DNS provider) that points to the above load balancer we created.
Make sure the ACM certificate is created for the above custom domain - example.com
Navigate to the API Gateway console and click Custom Domain Names in the left menu bar. Select Regional and fill in your custom hostname and ACM certificate we created in steps 3 & 4
Please find the detailed steps here.
How to integrate API gateway with application load balancer? I have integrated ECS with ALB, now I want to add API gateway in front without lambda. But I got confused how to connect API gateway with ALB..
What you're probably looking for is the HTTP Proxy Integration as described here
The basic idea is this:
Set up your API-Gateway with a greedy path like /{proxy+} on the ANY Method
Set the backend-endpoint to https://my-alb-endpoint.com/ecs-service-bla/{proxy}
(hopefully) success
To make this work, your backend needs to be exposed to the internet (or at least reachable for the API Gateway)!
You probably should keep your backend within a locked down VPC, but for this you're going to need to set up a private integration, which requires a Network Load balancer - this might be costlier, but would be the recommended approach.
Yes you can do . Inside API Gateway under integration type select HTTP and then provide complete path of ALB with endpoint resource.