- Newest
- Most votes
- Most comments
Hello.
Is it possible to configure multiple internal IP addresses to invoke different API Gateways via multiple VPC Endpoints?
Sorry if I didn't understand your question correctly.
If you enable private DNS for the VPC endpoint, the API Gateway's DNS name will be converted to the VPC endpoint's IP address from within the VPC, so I think there was no need to configure a VPC endpoint for each API Gateway.
For example, when you deploy API Gateway, the following API endpoints will be issued.
At this time, by enabling the private DNS name of the VPC endpoint, accessing the following API endpoint from within the VPC will access the private IP address of the VPC endpoint.
Therefore, if you have two API Gateways as shown below and access each API endpoint from within the VPC, there will be no problem.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
# API No.1
https://xxxxxxabcd.execute-api.ap-northeast-1.amazonaws.com/dev
# API No.2
https://xxxxxxefgh.execute-api.ap-northeast-1.amazonaws.com/dev
Can a single VPC Endpoint be used to invoke multiple API Gateways?
As answered in the question above, it is possible to access multiple API Gateways with one VPC endpoint.
When accessing API Gateway from a VPC via a VPC endpoint, if you enable private DNS, you can access it without setting "x-apigw-api-id" in the header.
Do you have any recommendations or suggestions for managing this setup effectively?
If you set up a VPC endpoint and enable private DNS, you will be able to access only the private API Gateway from within the VPC and not the public API Gateway.
If you also need access to the public API Gateway, disable the private DNS of the VPC endpoint, and set "x-apigw-api-id" in the header to access the private API Gateway via the VPC endpoint. Please access at.
Specifically, the access method is as follows.
curl https://vpce-XXXXXXXXXXXXX1234-XXXXXXXX.execute-api.ap-northeast-1.vpce.amazonaws.com/dev -H'x-apigw-api-id:XXXXXXabcd'
Hi,
I think that this article presents an architecture that is somewhat close (not exactly identical) to what you're trying to achieve: https://medium.com/@satyajit.samantaray/centralize-access-using-vpc-interface-endpoints-to-access-aws-services-across-multiple-vpcs-using-a586c846b48
It may provide you some inspiration to refine your current design.
Best,
Didier
Relevant content
- Accepted Answerasked 8 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 5 months ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
Dear Riku_Kobayashi,
Thank you for your response. I apologize if I did not fully articulate the scenario. The issue we are encountering involves an on-premises infrastructure consuming multiple API Gateways, which are connected through a Site-to-Site VPN.
The practical implementation has become challenging as we are unable to invoke the API as you suggested. For your reference, the API endpoint we are working with is:
https://xxxxxxefgh.execute-api.ap-northeast-1.amazonaws.com/dev
According to the documentation, invoking a privately configured API should be done using the following syntax:
https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
Any additional guidance on how to address this issue would be greatly appreciated.
Best regards,
This issue is described in the documentation below and can be resolved by using private DNS. By using private DNS, you can use regular API Gateway API endpoints without using the VPC endpoint DNS name. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w75aac15c20c17c15c15
I think it is possible to use API Gateway's API endpoint even when accessing a VPC endpoint from on-premises. The AWS blog below is an example of accessing the S3 interface VPC endpoint from on-premises, but you can also do the same with API Gateway's VPC endpoint. In other words, I think you should be able to resolve the name of the API endpoint to the IP address of the VPC endpoint using RPZ or Route53 inbound endpoint, as shown in the AWS blog below. https://aws.amazon.com/jp/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/