By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

REST API with Static Outbound IP & Custom Domain

0

Hi,

I am trying to setup Lambda functions with API Gateway as the trigger. I'll be making external API calls from the functions and I need my IP to be allowlist with the provider, so it should be static. I also need to provide them the hostname from where the API calls will originate from, so the API gateway will be using custom domain. I have the domain registered on Godaddy and for this API Gateway, I want to use a subdomain.

At the moment, what I have done is:

  1. Created a VPC Endpoint with subnets in all the availability zones in the region.
  2. Created a private Rest API and assigned the above VPCE to it.
  3. Created the same number of Elastic IPs as the availability zones.
  4. Requested a new certificate from ACM for the subdomain, put the CNAME records on GoDaddy and got the certificate issued.
  5. Created a Target Group with IP as target type, TLS as protocol and HTTPS as health check protocol and registered the default subnet's IPs of each availability zone. I used 403 as the health check status expected as this will be the status when the API will be invoked using NLB's DNS for health checks. The health check comes out to be positive.
  6. Created Internet Facing, IPv4 Network Load Balancer. The listener was setup with TLS as the protocol. I assigned the above created EIPs to this load balancer and the above generated certificate too.

At this point, I am successfully able to invoke the private API Gateway using the NLBs domain. However, I get a security warning because the domain for which the certificate was issued for is not being used to invoke the API. I created a Custom domain for the API and assigned the same certificate to it as well. But still, I get the same warning on the client side. And if I try to invoke the API with the custom domain name, I get no response at all because the name does not get resolved.

If I had my domain registered on AWS Route 53, I would've been able to create an Alias record that pointed to the NLB. Can I still do this with external registrar and will this even do anything for me?

Can somebody please guide me what needs to be done to get this working? Really appreciate it & thanks in advance.

PS. Sorry for the long detail if it's unnecessary.

  • Antonio_Lagrotteria EXPERT
    a year ago

    Could you try with CNAME defined in your DNS pointing to the NLB?

  • Ali Taimoor
    a year ago

    That may allow me to invoke the API with the custom name but what about the requests to external API provider that I will be making from Lambda? I need the said custom domain name to be the origin of that request too.

Topics
Networking & Content DeliveryServerlessFront-End Web & Mobile
Tags
Amazon VPCAmazon API GatewayAmazon Route 53Network Load Balancer
Language
English
Ali Taimoor
asked a year ago487 views
3 Answers
1
Accepted Answer

From the point of view of your code in your Lambda function, you do not specify the domain name, so this should be some out of bound process.

I assume you could create some domain name and map it in the DNS to the IP addresses that you have assigned to the NAT Gateway. If for some reason it is not possible (because you do not own the IP address, but rather AWS does), you can also bring your own IPs to AWS and assign one of your IPs to the NAT Gateway.

profile pictureAWS
EXPERT
Uri
answered a year ago
  • Ali Taimoor
    a year ago

    Thanks! Understood it now. Really appreciate the help!

0

This might help you https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#dns-name

profile picture
Tarun Tiwari
answered a year ago
  • Ali Taimoor
    a year ago

    Thank you for sharing the article Tarun! However, I am not sure if this is what I am looking for. I will get a custom domain name associated with the NLB following this, but I need this name to be the origin of the API requests that I'll be making from the Lambda functions too.

0

It is not clear to me what you are trying to achieve. There are two options:

  1. You want to make outbound calls from a Lambda function to some external API and you want those calls to originate from a fixed IP (in this case it doesn't matter that the function is triggered by an API Gateway.
  2. You want some external party to make API calls to API gateway and you need a domain name, with maybe a fixed IP.

If it is the first option, you need to attach the Lambda function to a VPC, create a NAT gateway in the VPC and attache an Elastic IP address to the NAT Gateway. This way all traffic from the function will originate from that IP address.

If it is the second option you need to use custom domain names for the API. If you actually need the IP to be fixed as well, you will need to create a Private API (in this case you do not need custom domain names, which are actually not supported for private APIs anyway) and use something like a Global Accelerator as described in this blog.

profile pictureAWS
EXPERT
Uri
answered a year ago
  • Ali Taimoor
    a year ago

    Thank you for helping out!

    I'd actually like both, inbound and outbound static IPs, however I can do without the inbound one i.e., static IP for the APIs that I will host. But for the outbound requests from Lambda, I definitely need at least one. The blog you shared is really helpful. Is there any way I can get the same custom domain name to appear as the origin of the API requests that I will be making from the Lambda functions?

    I am not sure if the provider validates this too or not but they did ask me for the hostname, so I am assuming they do.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content