HTTP APIGW with VPCLINK

1

Hi All,

I have built an HTTP APIGW with VPC LINK to connect to ALB in VPC. Now I want to understand the use of security groups in VPC LINK. It doesn't matter what inbound rules I put in the SG, I can connect to backend resources from the internet. I was under the impression that I will be able to control the access via security groups in the vpc link but it doesn't seem to work like that.

I am looking to open access to a list of IP's only. As HTTP API GW doesn't support the resource policy or waf, I was hoping to leverage VPC Link SG for this.

Any ideas?

  • Hello there, were you able to find out how to solve it? facing the same issue here :)

2 Answers
0

HTTP VPC Link is an integral part of API Gateway and it is better understood as being part of the same logical entity. What this effectively means is that API gateway does not actually send traffic to the VPC Link, it rather uses the VPC Link to send traffic to the Load Balancer.

Therefore, the Inbound Rules in the Security Groups attached to an HTTP VPC Link simply do not apply: all traffic to the VPC Link from API Gateway is always allowed because the VPC Link is not a foreign entity, it is internal to API Gateway. On the other hand, Outbound Rules do apply because the traffic is sent outbound to a foreign entity (an ELB).

AWS
SUPPORT ENGINEER
answered 10 months ago
  • What if I don't attach any SG? How does VPC Link behave then?

  • I wonder, why I'm getting 503 from my service if there is no security group attached to the VPC Link? What is more strange for me is when I attached ECS service SG (which has inbound for port 3000 and the source is ALB SG and the outbound is 'allow-all') the service is accessible through API Gateway -> VPC Link -> ALB (private) -> ECS. Why??? It doesn't make sense, so I created a separate SG for VPC Link with inbound from 80 and 443 and 'all-outbound' and it is working fine too.

  • @AgawAbhi It is (currently) untrue that VPC Link always forwards traffic to an ELB even without a Security Group, because if you remove ingress/egress rules from your default VPC SecurityGroup as recommended then traffic will not pass through, and you will see a 503 just as @Jarek is experiencing.

    I saw the same, and fixed it by adding a new SecurityGroup to my VPC Link. It seemed to work fine with just an ingress rule set to the same protocol/port as my ALB and default "allow all" egress, but I locked it down further by adding an egress rule peer-linked to my ALB.

  • @Jarek The VPC link will forward the traffic to the ELB even without having any Security Group. The feature of being able to attach Security Groups to an HTTP VPC Link is specially useful, for example, in a scenario where we would like to allow access to an ALB only from the VPC Link but every other resource in the VPC should not be allowed to access the ALB. In such a case, we can attach a Security Group to the VPC Link and create a rule in the ALB Security Group that allows HTTP/HTTPs traffic only from the VPC Link Security Group. This option is preferred rather than hardcoding the VPC Link IPs in the ALB Security Group.

0

You can use this chart to determine whether to choose HTTP or REST APIs - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html

If WAF capabilities are important to you, then definitely go with REST APIs.

Is there any particular feature in HTTP that you care about, that's not present in REST APIs?

profile pictureAWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions