By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ALB -> API Gateway healthchecks

0

I used this as guidance: https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/

I'm struggling with how to implement a health check that validates my lambda function has connectivity to RDS, or that our function is operational by returning a 200.

My health check on the ALB returns a 403, and I do understand the reason is that the GET is to one of my IP's in the target group and that results in a cert check failure, and the 403.

What other options do I have to do a health check all the way to my Lambda function? Unfortunately I cannot eliminate the Gateway API.

Topics
Networking & Content DeliveryServerlessComputeFront-End Web & Mobile
Tags
AWS Global AcceleratorAWS LambdaAmazon API GatewayApplication Load Balancer
Language
English
briansheets
asked 13 days ago321 views
1 Answer
0

Hello briansheets,

Thanks for reach-out with an Interesting query. I understand you have architecture as below :

ALB (Global Accelerator) -> API Gateway (execute-api) VPC endpoint target IPs -> API Gateway private API -> AWS Lambda

Where you would like to implement a health check on Lambda to return 200 response indicating Lambda is able to connect to RDS and operating as excepted.

Further, as you correctly pointed. Please note that, the health check is being performed on VPCe target IPs, which intern hitting the API Gateway. As ALB will not be providing the correct domain name and stage URL during the health check probes. API Gateway will respond with the 403 code (access forbidden)

Thus unfortunately, we will not be able configure 200 response from Lambda function with API Gateway in between. As API Gateway will always send 403.

I would like to request you to consider configuring external health checks on Lambda function, either by configuring Lambda as target group to ALB [1]. However, please note that as for each health check probe Lambda function is being Invoked you will be charged for Lambda as per lambda pricing.

Alternatively, you can also configure a external event bridge rule to Invoke Lambda at regular interval with specific event. Which your Lambda function can process and check status of backend connectivity. Lastly, you can also cosider creating a CloudWatch alarm on Lambda error metrics or subscription filter [2] on Lambda execution logs incase you would like to check for specific error pattern and take corrective actions if any.

I hope above shared information proves helpful. Should you still have any further queries, I would like to request you to kindly reach out to AWS Premium Support with support case with detailed use case by following this link. So that we can assist you in best way possible.

====================

Reference :

[1] Lambda functions as targets - Enable health checks - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#enable-health-checks-lambda

2] Log group-level subscription filters - Example 2: Subscription filters with AWS Lambda - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#LambdaFunctionExample

AWS
SUPPORT ENGINEER
rePost-User-1490882
answered 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content