I would like to use private API Gateways to organise Lambda functions into microservices, while keeping them invisible from the public internet. I would then like to expose specific calls using a public API Gateway.
How do I get traffic from my public API Gateway to a private API Gateway?
What I've looked at so far
In the past, for container-based resources, I've used the following pattern:
Internet -> API Gateway -> VPC Link -> VPC[NLB -> ECS]
However, I can't find an equivalent bridge to get specific traffic to a private API Gateway. I.e.
Internet -> API Gateway -> ? -> Private Gateway -> Lambda
My instinct tells me that a network-based solution should exist (equivalent to VPC Link), but so far the only suggestions I've had involve:
- Solving using compute ( Internet -> API Gateway -> VPC[Lambda proxy] -> Private Gateway -> Lambda )
- Solving using load balancers ( Internet -> API Gateway -> VPC Link -> VPC[NLB -> ALB] -> Private Gateway -> Lambda )
Both of these approaches strike me as using the wrong (and expensive!) tools for the job. I.e. Compute where no computation is required and (two!!) load balancers where no load balancing is required (as Lambda effectively self-loadbalances).
Alternative solutions
Perhaps there's a better way (other than a private API Gateway) to organise collections of serverless resources into microservices. I'm attempting to use them to present a like-for-like interface that my container-based microservices would have. E.g. Documented (Open API spec), authentication, traffic monitoring, etc.
If using private API Gateways to wrap internal resources into microservices is actually a misuse, and there's a better way to do it, I'm happy to hear it.
AWS OFFICIALUpdated a year ago
It's unfortunate that the NLB is still required, but at least it's better than both my current suggestions (+1). If no alternatives present themselves in the next 24 hours, I'll mark this as the accepted answer. Thanks!
Also, you're right about strict IAM + Cognito. And I will be using both in this solution. But I've seen enough loose/misconfigured IAM policies in my time that I'll be a lot more confident with the additional network isolation.
@Uri what type of target group would you add to the NLB?
Look at point #4 in this blog. It talks about custom domain names for private APIs, but the same idea applies.
Ah! Perfect. That's exactly what I was looking for. Marking as accepted. Thank you.
I've tried to configure the suggested way (public API's protected by Cognito and private using IAM Authorization) but when configuring a http_proxy from the public (Cognito protected) to the private (IAM protected) I keep getting 'forbidden' errors because a Role with correct policies are not part of the request. How would you configure the integration request to the API Gateway that is protected by IAM Authorization?