12

I have a task to configure API Gateway to route traffic to Lambda or to Load Balancer(internal, under VPC). I thought that it would be possible to create simple integration for ALB using simple HTTP integration or AWS Service. But after some time of googling I found only one solution - is to configure NLB and then use VPC_Link integration. In this case everything looks like working.

But still I found some articles like this one where people describe how they can integrate Api Gateway and LB without VPC_links. In my case I always see invalid endpoint address error when integrate my internal ALB with my apigateway. I suppose that this works only for public resources(internet facing LBs)?

And second part of question. When I configured VPC_link I still need to provide some endpoint in integration for certificate checks and something else. But looks like this endpoint still must be publicly accessible? The problem is that my service under ALB have multiple endpoints and I need to provide Path to this endpoints in this Endpoint URL and this endpoint should be public as I see right now. So for test reasons I provided url of our public resource and path of endpoint that I need to execute. And this works but looks too ugly for me. May be there is any pretty solution.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Aliaksei Bulhak
  • 6,078
  • 8
  • 45
  • 75
  • You could call a Lambda from API Gateway which in turn can call internal VPC resources (with a little extra configuration). – K Mo Jun 11 '18 at 06:36
  • @aleksei-bulgak did you find a solution to this? – gis_wild Dec 25 '18 at 14:23
  • Hi @gis_wild. Unfortunately no. As a result I created NLB and connected it to the same autoscaling group. But I heard that now AWS provides ability to create API Gateway in private VPC so may be they also provide ability to connect to private ALBs – Aliaksei Bulhak Dec 25 '18 at 15:02
  • "so may be they also provide ability to connect to private ALBs" they do not, unfortunately – Adrian Baker Jun 16 '19 at 02:00

3 Answers3

4

The answer marked as correct is outdated. It is now possible to integrate API Gateway with an internal facing ALB through HTTP private integration using VPC Link. See https://stackoverflow.com/a/67413951/2948212 for a step by step configuration.

diegosasw
  • 13,734
  • 16
  • 95
  • 159
  • 2
    What exactly is outdated in the accepted comment? It's still not possible to have direct integration between APIGW and ALB for REST APIs. And yes, it should work for HTTP APIs, same is outlined in the official docs: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html – dmitryb May 06 '21 at 11:22
  • the question does not ask about REST API integration, but about HTTP. It's outdated in the sense that it's not a correct answer to the question (maybe I should have said invalid instead of outdated, sorry). The correct answer is that it's perfectly possible to integrate API Gateway with internal facing ALB through HTTP. Maybe you're right about the REST integration though, I don't know. – diegosasw May 06 '21 at 14:46
1

I've been struggling with this too. For a REST API, you can create a VPC link to an NLB, but not an ALB (that's the invalid endpoint address issue you've been seeing). It is possible to connect an HTTP API directly to an API Gateway (that's release about a month ago - API Gateway offers private integrations with AWS ELB and AWS CloudMap as part of HTTP APIs GA release). It's frustrating, and I wish they'd add ALB support to the VPC links for REST APIs, but right now that isn't possible.

As for the second part of your question, I'm not sure what you mean by "endpoint integration," so I'm afraid I can't help you there.

Eric Hydrick
  • 3,467
  • 2
  • 28
  • 41
  • I am also looking into this . Having seen the blog post about private integrations I had hope it would work with REST APIs but alas it is only for the newer HTTP APIs on Api Gateway. I am going to send some feedback to my AWS SA to find out whether this is something on the roadmap. – CarlR May 01 '20 at 16:41
  • 2
    Any update on this ? Do we still have the limitation ? Don't want to make our shared ALB internet facing. – nish1013 Nov 09 '20 at 13:31
  • @nish1013 - No, when I was doing this I had to create an NLB, then use VPC Link to connect it to my API Gateway. If I get the time I can try to post a basic example of what I did, but it's spread out over multiple modules so it'd take a while to compose. – Eric Hydrick Nov 09 '20 at 18:15
  • Is this still the case? The following samples https://github.com/aws-samples/aws-apigw-http-api-private--integrations show a scenario where the API Gateway connects to an ALB through a private VPC link. – diegosasw May 05 '21 at 09:03
  • @diegosasw Those are HTTP API's not REST API's. – theherk Aug 11 '21 at 08:43
  • @theherk isn't the question about http integration? – diegosasw Aug 12 '21 at 09:19
  • @diegosasw Yes, but what you are replying to is suggesting this is possible for REST API's, not HTTP API's, which is still the case. The link you shared is about HTTP API's. – theherk Aug 17 '21 at 09:03
  • The question doesn't distinguish between HTTP and REST APIs. I saw the error mentioned when linking a REST API, which is why my answer focused on REST APIs. – Eric Hydrick Aug 18 '21 at 16:44
1

The first part was accepted so I would like to focus more on the second part of the question. It is possible to propagate Path with request modification provided by VPC Link for HTTP.

API Gateway Route you can define it as /foo/api/{param}

Then proceed to integrate this Route with pre-configured VPC Link

Navigate to VPC Integration -> Edit parameter mapping -> All incoming requests then provide the configuration below;

Parameter to modify: path | Modification type: Overwrite | Value: /api/$request.path.param

Note that this is one-level wildcard so /foo/api/bar is going to proxy through but /foo/api/bar/xyz does not.

Potential solution is to specify Route as /foo/api/{param+} to support multi-level but I have not tried so please feel free to test it.

deejiw
  • 31
  • 5