By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I integrate an API Gateway REST API with an Application Load Balancer?

3 minute read
2

I want to integrate an Amazon API Gateway REST API with an Application Load Balancer.

Short description

To integrate your API Gateway REST API with a public Application Load Balancer, use API Gateway HTTP integration.

For private Application Load Balancers, use an API Gateway virtual private cloud (VPC) link to connect to a private Network Load Balancer. Then, use the Network Load Balancer to forward API Gateway requests to the private Application Load Balancer.

Note: Although you can't directly integrate your REST API with private Application Load Balancers, you can configure private integration with your HTTP APIs and WebSocket APIs.

Resolution

Integrate an API Gateway REST API with a public Application Load Balancer

Prerequisites:

  • Access to a public Application Load Balancer and its DNS name
  • An API Gateway REST API resource with an HTTP method

Complete the following steps:

  1. Open the API Gateway console.
  2. Choose the API that you want to integrate with the Application Load Balancer.
  3. In Resources, for Methods, choose the HTTP method that your API uses.
  4. Choose Integration request.
  5. For Integration type, choose HTTP.
    Note: To pass the entire API request and its parameters to the backend Application Load Balancer, create an HTTP proxy integration or an HTTP custom integration. For more information, see HTTP integrations for REST APIs in API Gateway.
  6. In the Endpoint URL field, enter a DNS name. Use either the Application Load Balancer's default DNS name or a custom DNS name.
  7. Add the configured protocol of the Application Load Balancer's listener. For example, an Application Load Balancer that's configured with an HTTPS listener on port 8080 requires the https://domain-name:8080/ endpoint URL format.
    Important: Choose port and listener rules to create an HTTP listener or HTTPS listener for the Application Load Balancer. For more information, see Listeners for your Application Load Balancers. For an Application Load Balancer that's configured with an HTTPS listener, an API Gateway-supported certificate authority must issue the associated certificate. To use a self-signed certificate or one that a private certificate authority issued, set insecureSkipVerification to true in the integration's tlsConfig extension.
  8. Choose Save.
  9. Deploy the API.

Integrate an API Gateway REST API with a private Application Load Balancer

Complete the following steps:

  1. Use an API Gateway VPC to integrate your API with a private Network Load Balancer.
  2. Use the Network Load Balancer to forward the API request to the private Application Load Balancer.

Allow access to an Application Load Balancer only from API Gateway

Take the following actions:

  • It's a best practice to use a private integration with the Application Load Balancer as the target of a Network Load Balancer through a VPC link. For a private integration, configure a security group rule for the Application Load Balancer that allowlists only the IP address of the Network Load Balancer.
  • If the integration and the Application Load Balancer are public, then configure security group rules that allowlist API Gateway IP addresses for the API's AWS Region.
7 Comments

Great content, Brent!

replied 2 years ago

Is the private integration still relevant? No way to connect to private ALB without VPC Link and NLB??

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

Is this info still accurate?

in this documentation mentions that both are allowed, not only NLB. Not sure about apigateway (not apigatewayv2), though.

replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago

In the case of using a public load balancer.

  • How can you assure that the Load Balancer only allows traffic from the api gateway?
  • Will data egress costs be charged twice due to data passing through two public endpoints?
replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago