I have the following traffic path: HTTP API GW -> VPC Link -> Private ALB -> Private Elastic Beanstalk environment (target group)
I have configured a API GW stage variable that uses an ANY integration for the hostname of the ALB.
(Note: I am not configuring a private integration; while that appears to work, I need to use API Gateway staging, and unfortunately if I use a private integration I cannot have different HTTP integrations for each stage.)
I have verified the following:
- application is listening
- The VPC Link is in the AVAILABLE state.
- security group for EB environment allows port 80 from ALB and out=any
- I have the right (private) subnets configured for the VPC Link, and the VPC Link security group is set to the ALB's security group (which allows HTTP 80 IN from any, and HTTP 80 out from any)
- From one of my servers, I can curl the ALB DNS name and my application answers - indicating the ALB can reach the target group and the listener settings are correct.
But when I turn on logging for the API Gateway, I see INTEGRATION_NETWORK_FAILURES
{ "requestId":"Cslrahc84osEJrg=", "ip": "a.b.c.d", "requestTime":"12/Dec/2024:21:04:34 +0000", "httpMethod":"GET","routeKey":"GET /myRoute/{id}", "integrationErrorMsg":"-", "responseType":"INTEGRATION_NETWORK_FAILURE", "extendedRequestId":"Cslrahc84osEJrg=", status":"503","protocol":"HTTP/1.1", "responseLength":"33" }
I do not know how to debug this further, and how to test the VPC Link path from the API Gateway. Any help is appreciated!
Hi Praveen, thanks for your comments.
Option 1) uses a private integration. As I stated, a private integration works, but a private integration is then 'hard coded' to that integration for all stages, and I can't use stages to send data to stage-specific integrations. Again, I need a way to use API Gateway with staging with a private HTTP integration.
Option 2) had the VPC link configured with a mix of private and public subnets - mine has only private subnets so this is already set up correctly.