Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cross account cross region API GW - Route53-ALB private integration

0

Hello, I am trying to do a private integration between API GW in Account A and Route53 private route in Account B. I am using API Gateway REST API and this cannot be changed. My target flow should look like below - Account A APIGW /my-shop -> Account B Route53 mycompany.com/my-shop -> Account B ALB I tried creating a NLB in Account B and created a APIGW VPC Link for Rest API in Account B. I pointed the VPCLink to the NLB. This created a Endpoint Service in Account B. I was then able to create a Endpoint in Account A and send a connection request to Account B and have it accepted. This results in a different but acceptable integration which does not go through Route53 but instead goes directly to Account B NLB. However, now I want to send APIGW traffic to this VPCLINK but I cant find any clear way to do this. Can someone explain how to do this type of private integration? Also, Is there anyway to have the API GW in Account A instead send the traffic directly to the private dns record in Account B? I already have a TGW that my Lambda fucniton in Acconut A was using to send traffic to Route 53 in Account B because the Lambda was attached to the VPC in Account A. If I try to put the private DNS record as a HTTP target in API GW it wont work since there is not way to resolve that target in Account A.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon Route 53Amazon VPCAmazon API GatewayRoute 53 Private DNSAWS PrivateLink
Language
English
AWS
asked 9 months ago206 views
1 Answer
0

To achieve the cross-account, cross-region private integration you're looking for between API Gateway in Account A and Route53 private route in Account B, you have a few options:

  1. Using VPC Link with HTTP API: Instead of using a REST API, you can use an HTTP API in Account A. HTTP APIs support VPC Links that can connect to ALB, NLB, or AWS Cloud Map. You can create a VPC Link in Account A that points to the ALB in Account B. This approach allows you to leverage the existing Route53 setup in Account B.

Steps:

  • Create an HTTP API in Account A
  • Set up a VPC Link in Account A, pointing to the ALB in Account B
  • Configure the integration in the HTTP API to use this VPC Link
  • Ensure proper routing and security group settings are in place
  1. Using PrivateLink: You can use AWS PrivateLink to expose the private API in Account B to Account A. This method allows you to keep your API Gateway private while still allowing cross-account access.

Steps:

  • Create a VPC Endpoint Service in Account B for your API
  • Create a corresponding VPC Endpoint in Account A
  • Update the API Gateway resource policy in Account B to allow access from the VPC Endpoint in Account A
  • Configure DNS resolution to properly resolve the API Gateway endpoint across the VPC peering connection
  1. Using Transit Gateway: Since you mentioned you already have a Transit Gateway (TGW) set up, you can leverage this for routing traffic between accounts.

Steps:

  • Ensure the TGW is properly configured to route traffic between Account A and B
  • Set up a VPC Link in Account A that points to the ALB in Account B through the TGW
  • Configure the API Gateway in Account A to use this VPC Link

For all these approaches, make sure to:

  • Configure proper IAM permissions to allow cross-account access
  • Set up appropriate security groups and network ACLs
  • Enable DNS resolution and hostnames in both VPCs if not already enabled

Regarding your question about sending API Gateway traffic directly to the private DNS record in Account B: This is challenging because API Gateway needs to be able to resolve the DNS name. However, you might be able to achieve this by setting up a private hosted zone in Account A that mirrors the private DNS setup in Account B, and then using Route53 resolver rules to forward DNS queries to Account B's private hosted zone. This would allow API Gateway in Account A to resolve the private DNS names in Account B.

Remember to thoroughly test your setup and monitor for any latency or performance issues, as cross-region setups can sometimes introduce additional overhead.
Sources
Access to private api gateway REST between regions | AWS re:Post
HTTP API - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
Can we associate Centralize VPC endpoint (execute API) with Private Rest API gateway | AWS re:Post

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content