4

I have the following challenge: we have a VPC with an ApiGateway::RestApi with PRIVATE endpoints (they are only accessible via the VPC,- this is our client's requirement). So the idea is that NLB (accessible from anywhere in the world) will translate the traffic to the API. Is it possible to implement it in AWS?

Will
  • 2,014
  • 2
  • 19
  • 42
Viktor
  • 380
  • 5
  • 14
  • @IMSoP read too quickly, i'll delete thanks! – Ermiya Eskandary May 02 '22 at 18:22
  • @IMSoP the client requires us to make API endpoints private to protect them from requests from outside the VPC, and his architect created a scheme where he puts NLB in front of the API only to translate requests from available NLB to unavailable APIs. – Viktor May 02 '22 at 18:30
  • Not filtering, but translating requests: client -> NLB -> Private API. – Viktor May 02 '22 at 19:03
  • 1
    What does "translating" mean, though, other than "giving access to"? What is the difference between allowing access to the API Gateway directly, and allowing access via the NLB? – IMSoP May 02 '22 at 19:05
  • `What is the difference between accessing the API Gateway directly, and via the NLB?` - I am of the same opinion, but the client wants to protect the API from access from outside the VPC ))) He thinks that API key is not enough ) – Viktor May 02 '22 at 19:11
  • 2
    Just set the AWS API Gateway to **private** and you will have a API only available within your VPC. If it makes sense, if you have clients outside of the VPC is another question. Using an NLB to bring the private API Gateway to customers outside the VPC is a really bad idea. Use eighter regional with Ressource Policy, Custom Authorizer, etc. or bring WAF in front of the API Gateway and whitelist headers, IP addresses, etc. – Daniel Seichter May 02 '22 at 20:26

1 Answers1

1

After reading the documentation, I made the following conclusions.

There is no technical ability to add NLB in front of the API Gateway in AWS. In the documentation they provide approach when API Gateway connects to the Network Load Balancer via VPCLink, but not vice versa. If you try putting NLB in front of API Gateway you should add this API Gateway to a NLB Target group. NLB routes requests to the registered targets in its target group. But API Gateway does not belong to any available target type: Instances, IP addresses, Lambda function, Application Load Balancer. So, it can not be added to any target group. I will suggest considering the alternative of using NLB in front of API Gateway.

Viktor
  • 380
  • 5
  • 14
  • 1
    This post suggests it might be possible with the help of `ip` target type and vpc endpoint https://aws.amazon.com/blogs/compute/building-resilient-private-apis-using-amazon-api-gateway/ – Salvian Reynaldi Jun 02 '22 at 04:05