- Newest
- Most votes
- Most comments
Hi,
Placing Amazon API Gateway in front of your load balancer as entry door to your backend running on EC2 instances follows indeed best practices. I understand you want to access your custom API server running in your EC2 instance securely and privately via API Gateway. Alternative understanding is you want to call EC2 service API Actions (e.g. "AcceptReservedInstancesExchangeQuote") via API Gateway but you would require a complex implementation to support them all using "AWS Service" integration type, which I think it is not the requirement here.
**Solution: **use a public REST API from API Gateway with private integration via VPC Link, private network load balancer (NLB) from Elastic Load Balancing (ELB) service, VPC with at least 2 subnets (1 public with NAT Gateway, and 1 private), and an EC2 instance running your custom API server placed inside the private subnet with a route pointing to the Internet via the NAT Gateway placed in the public subnet. Place the RDS instance in the private subnet.
References:
- Set up API Gateway private integrations: the API Gateway private integration makes it simple to expose your HTTP/HTTPS resources within an Amazon VPC for access by clients outside of the VPC -- https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html
- NAT Gateways: you can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances -- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Now, coming to your final question list:
- Place your EC2 instance in a private subnet with a route to a NAT Gateway placed in a public subnet with an Internet Gateway to access the Internet. Place the RDS instance in the private subnet.
- Internal NLB. Follow instructions from https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-nlb-for-vpclink-using-console.html
- In REST API configuration in API Gateway, integration request part for private integrations, if you use integration type "VPC Link" the configuration options are "VPC Link" as the resource that you are required to create to make the API Gateway-to-NLB connection, and the "Endpoint URL" which is the DNS name (A Record) from the internal NLB or the DNS name of the server running in your EC2 instance. Do not use integration type "AWS Service" (hence, no AWS subdomain).
- Do not use the EC2 instance to defend you agains DDoS attacks. Use API Gateway instead -- https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/protecting-api-endpoints-bp4.html and leverage AWS WAF via WebACL to protect your REST API endpoint -- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html
Kind regards,
Luis
Relevant content
- asked 2 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I created the VPC, with the subnets and the NAT. When I create the EC2, is there anything special I should put in the Configure Security Group section? Or do I just to accept the default SSH TCP at 22 port to 0.0.0.0/0? My only need is that the FastApi server reads at port 80
Context: API Gateway uses the VPC Link to send traffic to the Load Balancer. All traffic to the VPC Link from API Gateway is always allowed because the VPC Link is not a foreign entity, it is internal to API Gateway.
Answer: for REST VPC Links, since there are no ENIs created in your VPC and NLBs do not support Security Groups, the concept of Security Groups simply does not apply.
ok, so I understand it goes with the default, like in https://cloud-gc.readthedocs.io/en/latest/_images/choose_security_group.png