Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

API Gateway URI endpoint question - when setup with VPC Link and Load balancers

0

My question is: On the API GW resource integration request endpoiint URL, what should it be if I have a VPC LINK+NLB+ALB+EC2? Should it be the NLB's DNS or the raw endpoint (i.e. myec2.scope.com/REST/ExampleCall)

We have an API first architecture, so everything is private except the API Gateway. It will flow like API Gateway -> VPC Link -> Network Load Balancer -> Application load balancer -> EC2 (REST API END POINT)

I skimmed the white paper https://docs.aws.amazon.com/whitepapers/latest/best-practices-api-gateway-private-apis-integration/best-practices-api-gateway-private-apis-integration.pdf?did=wp_card&trk=wp_card but couldn't find a definitive answer.

Also for TLS, does it terminate at the ALB or the EC2?

Thank you

Argomenti
Networking e distribuzione di contenutiServerlessFront-end web e dispositivi mobiliMicroservizi
Tag
Amazon VPCGateway API di AmazonNetworking e distribuzione di contenutiMicroservizi
Lingua
English
AWSKid2k
posta 2 anni fa999 visualizzazioni
2 Risposte
0

For configuring API Gateway with private resources please look into https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html - The gateway should point to the DNS of the NLB. Also, SSL termination generally occurs at the ALB layer. You need to create/import your certificate in certificate manager. You can also terminate SSL at the instance level. In this case ALB would act as a passthrough. This would work well if you have a single instance, because you need to import the SSL certificate within the instance. You can also offload this to Cloud HSM but that would increase the cost.

Satrajit Basu
con risposta 2 anni fa
0

NLB is a layer 4 load balancer so it does not look at the content of the request for routing decisions. ALB is a layer 7 load balancer so it does look at the content. API Gateway uses the domain part of the URL to populate the Host header. You can use the port part of the URL to let NLB route to different targets based on the port number.

Given all of the above, you should probably use the DNS name of the ALB, which then can use it to route to different target groups.

TLS termination can be done both in the NLB, or the ALB, usually at the ALB.

profile pictureAWS
ESPERTO
Uri
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente