使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

How to connect a Public API Gateway REST API with a private NLB in a different account?

0

This is going from a Public API Gateway Rest API in Account A to a private NLB in a VPC in Account B.

Use case:

  • Account A
    • Publicly facing API Gateway
    • No VPC
  • Account B
    • Internal NLB in VPC

If they were in the same account, we could use VPC Link. But VPC Link requires the NLB be owned by the same account as the API Gateway.

My attempted solution:

  1. Create VPC in Account A
  2. Turn on VPC peering between Account A VPC and Account B VPC
  3. Private link:
    1. Account B create VPC Endpoint Service to NLB
    2. Account A create VPC Endpoint
  4. Account A
    • in VPC
      1. Create target group for each port to match Account B NLB
        1. Look up the ENIs from the VPC Endpoint and then look up their IP addresses
        2. Create IP associations for VPC Endpoint IP addresses
      2. Create Load balancer and listeners that mirror the Account B NLB
    • Public
      1. Create API Gateway Rest API VPC Link to new Account A NLB
      2. Configure API integration with VPC Link like normal

This seems both wasteful (extra NLB) and convoluted. Is there a better way?

主题
网络和内容交付无服务器前端 Web 和移动
标签
亚马逊 VPC亚马逊 API 网关网络和内容交付弹性负载平衡共享 VPC
语言
English
smacintyre
已提问 10 个月前1334 查看次数
1 回答
1

As you have mentioned, AWS PrivateLink is one of the options for your scenario

To use AWS PrivateLink, create a Network Load Balancer for your application in your VPC/Account B, and create a VPC endpoint service configuration pointing to that load balancer. A service consumer then creates an interface endpoint to your service. This creates an elastic network interface (ENI) in your subnet with a private IP address that serves as an entry point for traffic destined to the service. The consumer and service are not required to be in the same VPC/Account A.

Refer to

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html

https://aws.amazon.com/blogs/compute/building-private-cross-account-apis-using-amazon-api-gateway-and-aws-privatelink/

https://aws.amazon.com/blogs/compute/architecture-patterns-for-consuming-private-apis-cross-account/

AWS
snathan
已回答 10 个月前
  • smacintyre
    10 个月前

    I don't think you read my question. It's from a public API Gateway to an existing private NLB in another account.

  • snathan
    10 个月前

    I posted the generic architecture patterns for AWS PrivateLink which also included patterns for Public API Gateway accessing Private Endpoint in another account. In terms your attempted solution, since the exposing service is Internal NLB, consuming account has to have either ALB or NLB within VPC. As you might know already, a major benefit of this approach is that network traffic stays within the Amazon network and does not traverse the public internet. This reduces attack vectors and improves the security posture.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容