By using AWS re:Post, you agree to the Terms of Use

How to get traffic from a public API Gateway to a private one?


I would like to use private API Gateways to organise Lambda functions into microservices, while keeping them invisible from the public internet. I would then like to expose specific calls using a public API Gateway.

How do I get traffic from my public API Gateway to a private API Gateway?

What I've looked at so far

In the past, for container-based resources, I've used the following pattern:

Internet -> API Gateway -> VPC Link -> VPC[NLB -> ECS]

However, I can't find an equivalent bridge to get specific traffic to a private API Gateway. I.e.

Internet -> API Gateway -> ? -> Private Gateway -> Lambda

My instinct tells me that a network-based solution should exist (equivalent to VPC Link), but so far the only suggestions I've had involve:

  • Solving using compute ( Internet -> API Gateway -> VPC[Lambda proxy] -> Private Gateway -> Lambda )
  • Solving using load balancers ( Internet -> API Gateway -> VPC Link -> VPC[NLB -> ALB] -> Private Gateway -> Lambda )

Both of these approaches strike me as using the wrong (and expensive!) tools for the job. I.e. Compute where no computation is required and (two!!) load balancers where no load balancing is required (as Lambda effectively self-loadbalances).

Alternative solutions

Perhaps there's a better way (other than a private API Gateway) to organise collections of serverless resources into microservices. I'm attempting to use them to present a like-for-like interface that my container-based microservices would have. E.g. Documented (Open API spec), authentication, traffic monitoring, etc.

If using private API Gateways to wrap internal resources into microservices is actually a misuse, and there's a better way to do it, I'm happy to hear it.

1 Answers
Accepted Answer

The only way to get from API Gateway to private resources is using VPC Link, and VPC Link requires an NLB (No need for an ALB between the NLB and the endpoints). So your path will be: Public API -> VPC Link -> NLB -> Private API VPC Endpoint -> Private API.

Saying that, you don't really must use private APIs. you could just protect the internal APIs' endpoints using IAM and the ones that you want public using some other approach (e.g. Cognito).

answered a month ago
  • It's unfortunate that the NLB is still required, but at least it's better than both my current suggestions (+1). If no alternatives present themselves in the next 24 hours, I'll mark this as the accepted answer. Thanks!

    Also, you're right about strict IAM + Cognito. And I will be using both in this solution. But I've seen enough loose/misconfigured IAM policies in my time that I'll be a lot more confident with the additional network isolation.

  • @Uri what type of target group would you add to the NLB?

  • Look at point #4 in this blog. It talks about custom domain names for private APIs, but the same idea applies.

  • Ah! Perfect. That's exactly what I was looking for. Marking as accepted. Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions