Can a network load balancer front an API Gateway?


We're an IPv6 shop using the AWS Direct Connect (Private VIF). Since API Gateway is not a dual-stack service, we need a workaround to be able to access it over the Direct Connect. We cannot use Cloudfront. Ideally, we'd like to use a Network Load Balancer (dual stack) to forward the API Gateway, but will consider any other ideas or experiences that others might have. In all instances of tutorials I've studied, it seems that the coin is that API Gateway can contact the Network Load Balancer via execute-api endpoints. ...but we need the visa-versa. My ask here is can it be done, and if so, how?

1 Answer

You can place an NLB in front of a Private API. The target group for the NLB needs to be IPs and you will need to use the IP addresses that are listed in the VPC Endpoint ENIs for the Private API.

profile pictureAWS
answered 2 years ago
  • Hi Uri. Thank you for your reply. I've done just as you outlined. Private REST API (petstore) and have confirmed that I'm referencing the correct vpce within it. I have created an IP Target group with the internal IP addresses assigned to the endpoint ENIs. Once it was all wired up, it's time to test. In the web browser, when I hit the DNS for my NLB, it churns a bit then attempts to download a DMS file (Database migration?). That's progress... I'm definitely not getting through to my API tho. Am I missing something?

  • You probably need to do the TLS termination on the NLB and for that you will need to use a certificate there. Are you using it? Try it with curl -v to see what is going on.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions