API gateway VPC link security group rules

Question

I'm looking at using a VPC link V2 with API gateway to allow APIs to access EC2 instances on the VPC.  Just need to understand:

1. Is this possible?  The documentation talks about using a load balancer on the VPC.  Can I just access an EC2 instance from API gateway without an expensive load balancer?
2. What ingress rules do I need in the security group to limit access from API gateway?

Riku_Kobayashi · Answer

Hello.

After configuring VPC Link v2 and connecting API Gateway to a VPC, you can specify an ALB or NLB in the integration settings.  
You can't configure EC2 directly, so you need an ALB configured in between.  
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html  
https://docs.aws.amazon.com/cli/latest/reference/apigateway/put-integration.html  
> --integration-target (string)  
> The ALB or NLB listener to send the request to.

To control connections from API Gateway connected via VPC Link v2, you must allow HTTP and HTTPS in the inbound rules of the ALB security group.  
https://aws.amazon.com/jp/blogs/compute/build-scalable-rest-apis-using-amazon-api-gateway-private-integration-with-application-load-balancer/

What did we do with API Gateway?  
If you just want to expose an EC2 instance in a private subnet to the public, you can also use CloudFront's VPC Origin.  
This allows you to make EC2 publicly available without using an ALB.  
https://aws.amazon.com/jp/blogs/aws/introducing-amazon-cloudfront-vpc-origins-enhanced-security-and-streamlined-operations-for-your-applications/

API gateway VPC link security group rules

Add your answer

Relevant content