Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Unable to Connect API Gateway to Internal Network Load Balancer in VPC

0

I have set up a network load balancer (NLB) in a VPC, which is associated only with private subnets. This NLB is internal and is not internet-facing. My goal is to connect from the API Gateway to this NLB. I found a workaround where changing the security group to allow all traffic (0.0.0.0/0) enables the connection, but this approach is not secure and not what I am aiming for.

Is there an appropriate method to securely connect the API Gateway to an internal NLB in a VPC? Could using a VPC endpoint be the solution to this problem?

Themen
Vernetzung & Bereitstellung von InhaltenServerlosFrontend-Web & Mobile
Tags
Amazon VPCAmazon API-GatewaySicherheitsgruppeNetwork Load Balancer
Sprache
English
Suresh-Andem
gefragt vor 7 Monaten835 Aufrufe
4 Antworten
2
Akzeptierte Antwort

As your using a REST API, then I believe the only option would to be allow the VPC CIDR Range eg, 172.31.0.0/16 in your security group instead of 0.0.0.0/0

UPDATED

You can also DISABLE Enforce inbound rules on PrivateLink traffic via the GUI on the NLB or CLI. This means private link traffic can still connect to the NLB if you dont allow any other traffic!

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html

Search for Enforce inbound rules on PrivateLink traffic. ^^

profile picture
EXPERTE
Gary Mclean
beantwortet vor 7 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 6 Tagen
profile picture
EXPERTE
Sedat Salman
überprüft vor 7 Monaten
profile picture
EXPERTE
Riku_Kobayashi
überprüft vor 7 Monaten
  • Suresh-Andem
    vor 7 Monaten

    This Method Worked for me Thank you:-

    UPDATED

    You can also DISABLE Enforce inbound rules on PrivateLink traffic via the GUI on the NLB or CLI. This means private link traffic can still connect to the NLB if you dont allow any other traffic!

    https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html

    Search for Enforce inbound rules on PrivateLink traffic. ^^

  • Gary Mclean EXPERTE
    vor 6 Monaten

    Just to add to the answer. I believe why the CIDR Range didnt work was because of the Target Group "Preserve client IP addresses" if this is disabled then it would have worked. By Default this setting is enabled. You will have to review your use case.

0

But I am Using Rest API

Suresh-Andem
beantwortet vor 7 Monaten
  • Gary Mclean EXPERTE
    vor 7 Monaten

    Created new answer which should help

0

If using VPC Link for HTTP APIs then,

When you create your API Gateway VPC Link, you can define which security group to attach to the connection. This creates ENI's in your VPC with the SG attached.

Then, use this Security group ID as the source on your NLB security group. This will allow access from the APi Gateway security group and not a CIDR Range

profile picture
EXPERTE
Gary Mclean
beantwortet vor 7 Monaten
0

Thank You for your Prompt Response , I tried to give my VPC CIDR Range eg, 172.31.0.0/16 in My security group instead of 0.0.0.0/0 , then still it didnt Worked.! and if i do the second approach is it secure?

Suresh-Andem
beantwortet vor 7 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt