4

I have a couple of microservices running on EC2.

My intention is to use the AWS API gateway to allow internet access to the EC2 APIs.

Incoming Traffic is:
internet -> API Gateway -> EC2-server

I am planning to use a geedy HTTP Proxy on AWS Gateway. But I have 2 problems:

A) How can I address the EC2 in the "URL Endpoint" in the method integration? Can I somehow use the AWS private IP?

B) How do I configure the EC2 security group to allow an API gateway request into the EC2?

caliph
  • 193
  • 1
  • 3
  • 8

2 Answers2

4

API Gateway is intended mostly for use with Lambda, so there are some limitations. For the easiest integration, you must have your microservice public and then authenticate between API Gateway and your service by some other means. This doesn't sound like what you want to do... I wouldn't want to make my non-public services public either!

In order to do what you're asking (API Gateway to private EC2 resources), you must set up a private integration. This looks very much like how AWS implements service endpoints for services like S3. Basically, you need to put an NLB in front of your service.Then you set up API Gateway to contact that endpoint via a VpcLink resource. The flow looks like this:

API Gateway -> VpcLink resource -> NLB -> Target Group -> EC2 instances

See also this question

Eric M. Johnson
  • 141
  • 5
  • I can't think of a way to put an ALB directly behind an NLB. The target of an NLB needs to be one or more instances or one or more fixed IP addresses, but the addresses on the front side of an ALB are dynamic. – Michael - sqlbot Apr 15 '18 at 23:54
  • Sounds like you would have to skip the ALB then, in which case you would lose some ability to health check your servers. You can still use target groups attached to an ECS service though. I will update my answer. – Eric M. Johnson Apr 16 '18 at 13:30
  • Easy as 1, 2, 10: https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/ – Darragh Oct 03 '18 at 13:55
2

Note: I only have experience with Lambda, so I have never tested AWS API Gateway with plain HTTP backends yet... i.e. using it as a cloud-based nginx.

But according to @EdwardSamuel :

You can use AWS API Gateway (documentation).

API Gateway helps developers deliver robust, secure and scalable mobile and web application backends. API Gateway allows developers to securely connect mobile and web applications to business logic hosted on AWS Lambda, APIs hosted on Amazon EC2, or other publicly addressable web services hosted inside or outside of AWS. With API Gateway, developers can create and operate APIs for their backend services without developing and maintaining infrastructure to handle authorization and access control, traffic management, monitoring and analytics, version management and software development kit (SDK) generation.

API Gateway now supports HTTP Proxy integration for pass-through resources, so you don't need to describe your payload and query params explicitly (which was required previously).

Hendy Irawan
  • 325
  • 3
  • 8