By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How does APIGW -> VPC Link -> Public ALB works?

0

I have an architecture wherein APIGW has a private integration usign a VPC link to a public ALB?

Assuming that I cannot change the architecture, what should be my security group rule for ALB? Currently, I have a 0.0.0.0 inbound rule, can I restrict it to something?

Topics
Networking & Content DeliveryServerlessFront-End Web & Mobile
Tags
Amazon VPCAmazon API GatewayNetworking & Content DeliveryElastic Load BalancingSecurity Group
Language
English
Exter
asked a month ago446 views
1 Answer
0

Hi Exter, now that I got some context also from your other questions, it feels like something is odd. I see the current architecture you have is as it follows: APIGW -> VPC Link -> Private NLB -> Public ALB.

The part that seems odd is that your architecture is placing a public ALB behind a private NLB, instead of a private/internal ALB, (as APIGW -> VPC Link -> Private NLB -> Internal ALB). I assume you cannot change the architecture, but typically, with public ALBs, you would just use API Gatewat http integrations, while VPCLink fits more for private integrations.

To answer your question, VPC Link require a Network Load Balancer, so, as your Application Load Balancer is a target of the NLB, you should follow this: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html.

profile picture
EXPERT
Antonio_Lagrotteria
answered a month ago
  • Exter
    a month ago

    No, The current architecture is :

    APIGW -> VPC Link -> Public ALB.

    The ALB Security group has an inbound rule for 0.0.0.0/0 which is what I want to avoid. I can make architecture change if it is a must but the ALB has to be public.

    Introducing NLB is one of the options I found....

  • Antonio_Lagrotteria EXPERT
    a month ago

    Are you sure that you are linking the VPC Link directly with a public ALB? Can you share details of VPC LInk, because even when you go to UI, when creating a VPCLINK, you can only associate it with a Network Load Balancer, as you cannot have VPCLink -> ALB directly.

  • Exter
    a month ago

    Yes, I am sure that APIGW is linked to public ALB using VPC link.

    We can link both NLB/ALB using VPC Link:

    https://repost.aws/knowledge-center/api-gateway-alb-integration

    Integration type: Private resource Target service: ALB

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content