How do I integrate an API Gateway REST API with an Application Load Balancer?

3 minute read
2

I want to integrate an Amazon API Gateway REST API with an Application Load Balancer.

Resolution

Integrate an API Gateway REST API with a public Application Load Balancer

Prerequisites: Make sure that you have access to a public Application Load Balancer and its DNS name. You must also have an API Gateway REST API resource with an HTTP method.

To integrate an API Gateway Rest API with a public Application Load Balancer, complete the following steps:

  1. Open the API Gateway console.
  2. Select the API that you want to integrate with the Application Load Balancer.
  3. In Resources, for Methods, select the HTTP method that your API uses.
  4. Choose Integration request.
  5. For Integration type, choose HTTP.
    Note: To pass the API request and its parameters to the backend Application Load Balancer, create an HTTP proxy integration or an HTTP custom integration. For more information, see HTTP integrations for REST APIs in API Gateway.
  6. For Endpoint URL, enter a DNS name. Use either the Application Load Balancer's default DNS name or a custom DNS name.
  7. Add the configured protocol of the Application Load Balancer's listener. For example, an Application Load Balancer that's configured with an HTTPS listener on port 8080 requires the https://domain-name:8080/ endpoint URL format.
    Important: Choose port and listener rules to create an HTTP listener or HTTPS listener for the Application Load Balancer. For more information, see Listeners for your Application Load Balancers. For an Application Load Balancer that's configured with an HTTPS listener, an API Gateway-supported certificate authority must issue the associated certificate. To use a self-signed certificate or one that a private certificate authority issued, set insecureSkipVerification to true in the integration's tlsConfig extension.
  8. Choose Save.
  9. Deploy the API.

Secure your public Application Load Balancer

The security group rules must allow traffic from the API Gateway IP addresses for the API's AWS Region.

You must use an HTTP header condition to configure an Application Load Balancer listener rule that requires the x-amzn-apigateway-api-id request header to match your API ID.

Integrate an API Gateway REST API with a private Application Load Balancer

Complete the following steps:

  1. Use an API Gateway VPC link to integrate your API with a private Network Load Balancer to provide access to your resources within your Amazon Virtual Private Cloud (Amazon VPC).
  2. Use the Network Load Balancer to forward the API request to the private Application Load Balancer.

Secure your private Application Load Balancer

Make sure that you configure a security group rule for the Application Load Balancer that allows only the IP address of the Network Load Balancer.

7 Comments

Great content, Brent!

replied 2 years ago

Is the private integration still relevant? No way to connect to private ALB without VPC Link and NLB??

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 2 years ago

Is this info still accurate?

in this documentation mentions that both are allowed, not only NLB. Not sure about apigateway (not apigatewayv2), though.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

In the case of using a public load balancer.

  • How can you assure that the Load Balancer only allows traffic from the api gateway?
  • Will data egress costs be charged twice due to data passing through two public endpoints?
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago