By using AWS re:Post, you agree to the Terms of Use

ApiGateway to control an EC2 instance with load balancer running a FastAPI

0

I have an EC2 that is running a fastapi (python). This EC2 has a public ip, which is linked to a subdomain of my website. I can access to the api using APIGateway trhough this http link. However, I want to make it privately, and to have a load balancer. What's the best approach I can follow and the steps to do it? I have doubts when creating all the security private/public things.

Is this idea correct?

  1. Create an EC2 in a private subnet (Is it also necessary to have a private VPC?). Run Fastapi inside this EC2. (Doubt: how can I connect to EC2 to install the fastapi if it's private?) This EC2 must be able to access a RDS instance.
  2. Create the Load Balancer. I was going to choose Network Load Balancer. What type do I have to chose? Internet-facing or internal?
  3. Create the REST api-gateway and connect to AWS Service. What's the "AWS subdomain"? What's the type of action difference? What role should I put? How I connect to a specific EC2? FastApi gets everything is sent to port 80.
  4. To avoid ddos attacks, is it enough to use the EC2 limit of calls?
1 Answer
1
Accepted Answer

Hi,

Placing Amazon API Gateway in front of your load balancer as entry door to your backend running on EC2 instances follows indeed best practices. I understand you want to access your custom API server running in your EC2 instance securely and privately via API Gateway. Alternative understanding is you want to call EC2 service API Actions (e.g. "AcceptReservedInstancesExchangeQuote") via API Gateway but you would require a complex implementation to support them all using "AWS Service" integration type, which I think it is not the requirement here.

**Solution: **use a public REST API from API Gateway with private integration via VPC Link, private network load balancer (NLB) from Elastic Load Balancing (ELB) service, VPC with at least 2 subnets (1 public with NAT Gateway, and 1 private), and an EC2 instance running your custom API server placed inside the private subnet with a route pointing to the Internet via the NAT Gateway placed in the public subnet. Place the RDS instance in the private subnet.

References:

Now, coming to your final question list:

  1. Place your EC2 instance in a private subnet with a route to a NAT Gateway placed in a public subnet with an Internet Gateway to access the Internet. Place the RDS instance in the private subnet.
  2. Internal NLB. Follow instructions from https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-nlb-for-vpclink-using-console.html
  3. In REST API configuration in API Gateway, integration request part for private integrations, if you use integration type "VPC Link" the configuration options are "VPC Link" as the resource that you are required to create to make the API Gateway-to-NLB connection, and the "Endpoint URL" which is the DNS name (A Record) from the internal NLB or the DNS name of the server running in your EC2 instance. Do not use integration type "AWS Service" (hence, no AWS subdomain).
  4. Do not use the EC2 instance to defend you agains DDoS attacks. Use API Gateway instead -- https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/protecting-api-endpoints-bp4.html and leverage AWS WAF via WebACL to protect your REST API endpoint -- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

Kind regards,

Luis

answered 6 months ago
  • I created the VPC, with the subnets and the NAT. When I create the EC2, is there anything special I should put in the Configure Security Group section? Or do I just to accept the default SSH TCP at 22 port to 0.0.0.0/0? My only need is that the FastApi server reads at port 80

  • Context: API Gateway uses the VPC Link to send traffic to the Load Balancer. All traffic to the VPC Link from API Gateway is always allowed because the VPC Link is not a foreign entity, it is internal to API Gateway.

    Answer: for REST VPC Links, since there are no ENIs created in your VPC and NLBs do not support Security Groups, the concept of Security Groups simply does not apply.

  • ok, so I understand it goes with the default, like in https://cloud-gc.readthedocs.io/en/latest/_images/choose_security_group.png

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions