- Newest
- Most votes
- Most comments
Hello,
As per your configuration, you have created a HTTP API which is integrated to ALB domain name with stage variable. This ALB then communicate with your Elastic Beanstalk. All the security group configurations are also in place and you have also created a VPC link for HTTP API.
As per this documentation[1], I guess the CLI command you are referring is this:
====
aws apigatewayv2 create-integration --api-id api-id --integration-type HTTP_PROXY
--integration-method GET --connection-type VPC_LINK
--connection-id VPC-link-ID
--integration-uri arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/0467ef3c8400ae65
--payload-format-version 1.0
====
The above command is used for creating a HTTP proxy integration between API and load balancer using VPC Link(private connection) which can then be integrated with a route. This creates an integration, which you can find in the console under the integrations tab which later can be associated a route.
There are two methods of integration possible while working with API and ALB integration.
Option - 1 : Using Integration type as 'HTTP URI'
In this, you would directly associate your ALB/NLB endpoint url such as https//domain-name. This integration is when your ALB is public internet facing. Hence, this not a private connection between API gateway and ALB/NLB which doesn't use VPC links. You can also use stage variables in the HTTP endpoint URL for dynamic values. You can refer the below documentation for more information.
[+] Create HTTP proxy integrations for HTTP APIs - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-http.html
Option - 2: Using Integration type as 'Private Resource'
In this, the connection between API and ALB/NLB would be completely private using VPC links. This is used when the ALB is Internal(private). Kindly note that, in this method, you have to specify the existing NLB/ALB and also the VPC link. In this type of integration, you cannot use Stage variables. The above mentioned command is used to create this type of integration from CLI.
I am assuming that you have created integration with HTTP URI (option 1) for your ALB integration as you mentioned you are using stage variables because for HTTP APIs, currently stage variables are not supported for Private resource(option-2) type of integration using VPC link. You also mentioned that you created VPC link, however if you are using HTTP URI integration(option-1), you won't use this anywhere in the integration.
Based on your usecase requirement, you can either choose option-1 or option-2. If your ALB is internal and if you want to have private connection between API, ALB you can use the above mentioned CLI command for creating a integration which uses VPC link.
I hope the above helps.
References:
[1] Create a private integration using an Application Load Balancer or Network Load Balancer - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html#http-api-develop-integrations-private-ELB
Based on the information provided, it appears that you do not necessarily need to set up a private integration for your HTTP API Gateway to send requests to your Application Load Balancer (ALB). However, using a private integration can provide additional benefits and is generally recommended for accessing resources within a VPC.
Your current setup, using a stage variable to configure route integrations that send API requests to the ALB's domain name, can work. However, this approach exposes your ALB to the public internet, which may not be ideal from a security perspective.
The private integration you're referring to offers several advantages:
-
Enhanced Security: It allows API Gateway to communicate with your ALB without exposing it to the public internet. This is achieved through the use of VPC links, which create a secure connection between API Gateway and your VPC resources.
-
Simplified Networking: With private integration, you don't need to configure public DNS or open your ALB to the internet. All traffic remains within the AWS network.
-
Improved Performance: Private integrations can potentially offer better performance as the traffic doesn't need to go through the public internet.
-
Compliance: For applications that have strict compliance requirements, keeping all traffic within the AWS network can be beneficial.
The private integration setup you're seeing in the AWS CLI commands is essentially creating a more secure and direct connection between your API Gateway and your ALB. It uses the VPC link you've already set up to route traffic directly to your ALB without exposing it publicly.
While your current configuration may work, setting up a private integration would be considered a best practice, especially for production environments. It provides an additional layer of security and control over your API traffic.
If you decide to implement the private integration, you would need to update your API routes to use the VPC link and point directly to your ALB's listener ARN, rather than using the ALB's public DNS name. This change would route your API traffic through the VPC link, keeping it within the AWS network.
In summary, while not strictly necessary given your current setup, implementing a private integration would be recommended for improved security and adherence to AWS best practices for accessing private resources through API Gateway.
Sources
HTTP API - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
Create private integrations for HTTP APIs in API Gateway - Amazon API Gateway
Best Practices for Designing Amazon API Gateway Private APIs and Private Integration - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
Relevant content
- asked a year ago
- asked 9 months ago
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
Doesn't this effectively mean that with private http listeners/resources, API Gateway staging is useless? This is a big deal if true... because staging is critical to devops workflows.