Seeking Guidance on Configuring Internal IPs and VPC Endpoints for Multiple API Gateways

0

Dear Community,

I am reaching out with a specific implementation requirement. Our setup necessitates the use of multiple API Gateways, and we also need to make each API Gateway accessible via one or more VPC Endpoints for use in a Site-to-Site VPN.

According to the documentation and current configuration, I am encountering challenges. Specifically, I am limited by the constraint that only one VPC Endpoint can be used to invoke an API Gateway via a single domain (execute-api). When attempting to add the domain to another VPC Endpoint, it indicates that the domain is already defined in a different VPC Endpoint.

Consolidating all events into a single API Gateway is not feasible for us. We have similar stages across multiple API Gateways, and creating a structure to distinguish which service to invoke becomes exceedingly complex, especially when multiple developers are modifying the same API Gateway.

Could you please advise on the following:

  1. Is it possible to configure multiple internal IP addresses to invoke different API Gateways via multiple VPC Endpoints?
  2. Can a single VPC Endpoint be used to invoke multiple API Gateways?
  3. Do you have any recommendations or suggestions for managing this setup effectively?

Thank you for your assistance.

Best regards,

2 Answers
0

Hello.

Is it possible to configure multiple internal IP addresses to invoke different API Gateways via multiple VPC Endpoints?

Sorry if I didn't understand your question correctly.
If you enable private DNS for the VPC endpoint, the API Gateway's DNS name will be converted to the VPC endpoint's IP address from within the VPC, so I think there was no need to configure a VPC endpoint for each API Gateway.

For example, when you deploy API Gateway, the following API endpoints will be issued.
At this time, by enabling the private DNS name of the VPC endpoint, accessing the following API endpoint from within the VPC will access the private IP address of the VPC endpoint.
Therefore, if you have two API Gateways as shown below and access each API endpoint from within the VPC, there will be no problem.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

# API No.1
https://xxxxxxabcd.execute-api.ap-northeast-1.amazonaws.com/dev

# API No.2
https://xxxxxxefgh.execute-api.ap-northeast-1.amazonaws.com/dev

Can a single VPC Endpoint be used to invoke multiple API Gateways?

As answered in the question above, it is possible to access multiple API Gateways with one VPC endpoint.
When accessing API Gateway from a VPC via a VPC endpoint, if you enable private DNS, you can access it without setting "x-apigw-api-id" in the header.

Do you have any recommendations or suggestions for managing this setup effectively?

If you set up a VPC endpoint and enable private DNS, you will be able to access only the private API Gateway from within the VPC and not the public API Gateway.
If you also need access to the public API Gateway, disable the private DNS of the VPC endpoint, and set "x-apigw-api-id" in the header to access the private API Gateway via the VPC endpoint. Please access at.
Specifically, the access method is as follows.

curl https://vpce-XXXXXXXXXXXXX1234-XXXXXXXX.execute-api.ap-northeast-1.vpce.amazonaws.com/dev -H'x-apigw-api-id:XXXXXXabcd'
profile picture
EXPERT
answered 2 months ago
  • Dear Riku_Kobayashi,

    Thank you for your response. I apologize if I did not fully articulate the scenario. The issue we are encountering involves an on-premises infrastructure consuming multiple API Gateways, which are connected through a Site-to-Site VPN.

    The practical implementation has become challenging as we are unable to invoke the API as you suggested. For your reference, the API endpoint we are working with is:

    https://xxxxxxefgh.execute-api.ap-northeast-1.amazonaws.com/dev

    According to the documentation, invoking a privately configured API should be done using the following syntax:

    https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}

    Any additional guidance on how to address this issue would be greatly appreciated.

    Best regards,

  • According to the documentation, invoking a privately configured API should be done using the following syntax: https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}

    This issue is described in the documentation below and can be resolved by using private DNS. By using private DNS, you can use regular API Gateway API endpoints without using the VPC endpoint DNS name. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w75aac15c20c17c15c15
    I think it is possible to use API Gateway's API endpoint even when accessing a VPC endpoint from on-premises. The AWS blog below is an example of accessing the S3 interface VPC endpoint from on-premises, but you can also do the same with API Gateway's VPC endpoint. In other words, I think you should be able to resolve the name of the API endpoint to the IP address of the VPC endpoint using RPZ or Route53 inbound endpoint, as shown in the AWS blog below. https://aws.amazon.com/jp/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/

0

Hi,

I think that this article presents an architecture that is somewhat close (not exactly identical) to what you're trying to achieve: https://medium.com/@satyajit.samantaray/centralize-access-using-vpc-interface-endpoints-to-access-aws-services-across-multiple-vpcs-using-a586c846b48

It may provide you some inspiration to refine your current design.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions