- Newest
- Most votes
- Most comments
You'll have problem to put an ALB in front of API Gateway as the target group can be IP, EC2 instance, Lambda or another ALB, it doesn't have API Gateway has target group https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html
The limit of 10000 request/s is a soft limit that can be increased, so based on your actual need it might be achievable just increasing that limit https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
A solution as Brettski@AWS suggested it's to create multiple API Gateway with different purposes, if you can do that.
A not elegant solution, that could work it's to put CloudFront in front of your API Gateways, and having CloudFront function to randomly select one of your API Gateway, this is not effective as a load balancer, but it would still distribute the traffic across multiple API Gateways.
Another solution that you could to it's to drop the API Gateway, and just put the JWT validation in CloudFront with Lambda@Edge. You can protect the ALB access from CloudFront, adding a rule where the header needs to contain a specific key that could be injected at CloudFront, so that only the traffic coming from your CloudFront distribution would be accepted by ALB, all the rest would return a 403. https://github.com/aws-samples/cloudfront-authorization-at-edge
API Gateway is the name of the service and there is only one such service, in which you can create multiple APIs. Even if you do create multiple APIs, the 10,000 RPS limit is per account per region and not per API so creating multiple APIs within the same account will not help. You could create them in multiple accounts, but it will make your solution more complex.
Further more, the 10,000 RPS limit is a soft one, which you can ask to increase. The recommended solution would be to ask for limit increase and use API GW -> ALB -> EC2.
Why have the ALB layer at the front end? Why not call API Gateway directly? Yes, I get that the 10,000 requests per second limit is key here; but given that you're considering using multiple API Gateways you clearly have "control" over the code at the front end - in that case you could be calling different API Gateways for different purposes (rather than a single API Gateway with multiple methods). And if that's the case the it seems a bit odd to have ALB as that first step.
I'd also question the need for the EC2 farm - perhaps Lambda, Fargate or some other container service is more appropriate but without other details it's difficult to say.
This is a great reason to reach out to your local AWS Solutions Architect and discuss the challenges that you're facing and look at different ways of solving for those.
Would authenticating users using an Application Load Balancer suffice? You can configure an Application Load Balancer to securely authenticate users as they access your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.
Relevant content
- Accepted Answerasked 6 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
