By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to connect a Public API Gateway REST API with a private NLB in a different account?

0

This is going from a Public API Gateway Rest API in Account A to a private NLB in a VPC in Account B.

Use case:

  • Account A
    • Publicly facing API Gateway
    • No VPC
  • Account B
    • Internal NLB in VPC

If they were in the same account, we could use VPC Link. But VPC Link requires the NLB be owned by the same account as the API Gateway.

My attempted solution:

  1. Create VPC in Account A
  2. Turn on VPC peering between Account A VPC and Account B VPC
  3. Private link:
    1. Account B create VPC Endpoint Service to NLB
    2. Account A create VPC Endpoint
  4. Account A
    • in VPC
      1. Create target group for each port to match Account B NLB
        1. Look up the ENIs from the VPC Endpoint and then look up their IP addresses
        2. Create IP associations for VPC Endpoint IP addresses
      2. Create Load balancer and listeners that mirror the Account B NLB
    • Public
      1. Create API Gateway Rest API VPC Link to new Account A NLB
      2. Configure API integration with VPC Link like normal

This seems both wasteful (extra NLB) and convoluted. Is there a better way?

Topics
Networking & Content DeliveryServerlessFront-End Web & Mobile
Tags
Amazon VPCAmazon API GatewayNetworking & Content DeliveryElastic Load BalancingShared VPC
Language
English
smacintyre
asked 9 months ago1281 views
1 Answer
1

As you have mentioned, AWS PrivateLink is one of the options for your scenario

To use AWS PrivateLink, create a Network Load Balancer for your application in your VPC/Account B, and create a VPC endpoint service configuration pointing to that load balancer. A service consumer then creates an interface endpoint to your service. This creates an elastic network interface (ENI) in your subnet with a private IP address that serves as an entry point for traffic destined to the service. The consumer and service are not required to be in the same VPC/Account A.

Refer to

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html

https://aws.amazon.com/blogs/compute/building-private-cross-account-apis-using-amazon-api-gateway-and-aws-privatelink/

https://aws.amazon.com/blogs/compute/architecture-patterns-for-consuming-private-apis-cross-account/

AWS
snathan
answered 9 months ago
  • smacintyre
    9 months ago

    I don't think you read my question. It's from a public API Gateway to an existing private NLB in another account.

  • snathan
    9 months ago

    I posted the generic architecture patterns for AWS PrivateLink which also included patterns for Public API Gateway accessing Private Endpoint in another account. In terms your attempted solution, since the exposing service is Internal NLB, consuming account has to have either ALB or NLB within VPC. As you might know already, a major benefit of this approach is that network traffic stays within the Amazon network and does not traverse the public internet. This reduces attack vectors and improves the security posture.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content