0

I want to connect to my ECS cluster in a private VPC and am a bit confused on what would be the best way to do so.

As I've understood it my options are:

  1. API Gateway -> VPC Link -> Private NLB -> Private ECS cluster
  2. Public ALB -> Private ECS Cluster
  3. API Gateway HTTP API -> Private ALB -> Private ECS cluster

Ideally I want Cognito authorization, and from what I understand, all three options would support that.

What option should I go with and why?

Daniel
  • 2,050
  • 7
  • 31
  • 55
  • Did you figure it out? I am interested in the third version – binaryguy Jan 06 '21 at 16:40
  • Well kind of. Number 2 is out of the question, because ALB just supports performing the token exchange so to say, not actually validating the token as far as I understand. 1 and 3 are both viable options, we have decided to go with option 3, but your choice really comes down to what features you need. We concluded that we don't need the extra features that a REST API gives (AWS Service integration etc), and option 3 also provides a bit simpler setup. – Daniel Jan 28 '21 at 19:04
  • Not sure about option 3. I like option 3, but if ALB is private you'll also need to use a VPC link to http integrate API Gateway with your internal facing ALB. See https://stackoverflow.com/a/67413951/2948212 – diegosasw May 06 '21 at 07:55
  • Yeah we're actually ended up going with option 3, with a VPC link in between the API and the ALB – Daniel May 06 '21 at 12:12

0 Answers0