Private Route 53 to API Gateway
Desired Scenario:
- Private Route 53
- To API Gateway
- To Lambda
- … and so on Why Route 53 for this private situation? Reason: The thought is that the API-gateway is ugly to hit without Route 53.
To add in case it matters to someone here: The request to our AWS solution from an internal non-AWS system will be something like once every 10 minutes. Also, we will be putting in fail-over for this solution.
Have Done So Far
We set up the API Gateway to the Lambda. Investigated the heck out of Route 53 and more. acloud.guru and more. Getting slightly buried in great documentation and sorting out hot-new vs older approaches:
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-private-hosted-zones
Note: How we set up the API Gateway to the Lambda was via CDK’s LambdaRestApi and lambda.Function using @aws-cdk/aws-apigateway and @aws-cdk/aws-lambda respectively. May refactor this via https://docs.aws.amazon.com/solutions/latest/constructs/aws-apigateway-lambda.html . Need to look at this later when time or tonight.
Request for Help
Conceptually, what should we be looking at? Bonus points: What topic should I post CDK posts at? This might warrant its own post elsewhere :)
- Newest
- Most votes
- Most comments
I will complain about the solution with NLB. Why? It's not serverless anymore because NLB is alive all the time and you need to pay for it. Using API Gateway and Lambda we can pay only for usage.
But going back to the question.
FinneyCanHelp, is it a private API Gateway?
If not, you can easily go with CustomDomain available in API Gateway.
If yes, you need to make some tricks. You can go with the solution from Oli or use Route53 alias. In this doc, you can find all methods of invoking Private API Gateway.
If I understand you correctly, you would like to front API Gateway with a friendly hostname configured in Route53. If this is what you are after, consider this post - https://georgemao.medium.com/enabling-private-apis-with-custom-domain-names-aws-api-gateway-df1b62b0ba7c . It's currently an easy workaround that you can use by fronting an NLB with API Gateway but using a custom domain name for your private API Gateway resources.
Relevant content
- asked 9 months ago
- Accepted Answerasked 5 years ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
"private API Gateway" = true
Then you can use the automatically created Route53 alias to communicate with private API Gateway as I linked above. It will automatically route your traffic through VPC Endpoint to the API Gateway. But remember to add resource policy to API Gateway to limit traffic only from your VPC or from VPC Endpoint.
Btw. how are you communicating from non-AWS workload to private resources in the VPC?
In regards to "how are you communicating from non-AWS workload to private resources in the VPC?" AWS Direct Connect is part of it from what I understand. In the past, others used VPCE's to route an AWS-thing's traffic from non-AWS to AWS over a private Direct Connect
Use VPCE (of type Interface) to route traffic from non-AWS-system to AWS Route 53. Route 53 to API-Gateway API-Gateway to Lambda
This is related: https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/ and reading the Conclusion at the bottom is important.