Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Amazon API Gateway in front of ELB and ECS Cluster

Tags:

amazon-web-services

aws-api-gateway

amazon-ecs

amazon-elb

I'm trying to put an Amazon API Gateway in front of an Application Load Balancer, which balances traffic to my ECS Cluster, where all my microservices are deployed. The motivation to use the API Gateway is to use a custom authorizer through a lambda function.

System diagram

enter image description here

In Amazon words (https://aws.amazon.com/api-gateway/faqs/): "Proxy requests to backend operations also need to be publicly accessible on the Internet". This forces me to make the ELB public (internet-facing) instead of internal. Then, I need a way to ensure that only the API Gateway is able to access the ELB outside the VPC.

My first idea was to use a Client Certificate in the API Gatway, but the ELB doesn't seem to support it.

Any ideas would be highly appreciated!

like image 648
Ricardo García Martín Avatar asked Jan 31 '17 12:01

Ricardo García Martín

People also ask

Does API gateway come before or after load balancer?

Load balancing the API Gateway'sThere must be a load balancer for the API gateway that can adapt to changes in microservices, such as versioning and dynamic scaling.

Can we use both API gateway and load balancer?

TL;DR: yes, API Gateway can replace what a Load Balancer would usually provide, with a simpler interface and many more features on top of it. The downside is that it doesn't come cheap. Load balancers have been one of the most common ways to expose a backend API to the public or even to an internal/private audience.

Does API gateway support alb?

It is definitely possible to use API Gateway http integrated with a private (i.e: internal facing) ALB that balances traffic in private subnets.

1 Answers

This seems to be a huge missing piece for the API gateway technology, given the way it's pushed. Not being able to call into an internal-facing server in the VPC severely restricts its usefulness as an authentication front-door for internet access. FWIW, in Azure, API Management supports this out of the box - it can accept requests from the internet and call directly into your virtual network which is otherwise firewalled off. The only way this seems to be possible under AWS is using Lambdas, which adds a significant layer of complexity, esp. if you need to support various binary protocols.

like image 139
Dylan Nicholson Avatar answered Sep 30 '22 04:09

Dylan Nicholson
Sign in to Comment

Related questions

Disconnected : No supported authentication methods available (server sent :publickey)
Best strategy to deploy static site to s3 on github push? [closed]
What is the difference between a CloudWatch Alarm and a CloudWatch Event?
Sending html content in AWS SNS(Simple Notification Service) emails notifications
Elastic Beanstalk Change ELB Type
How to get the URL of a file on AWS S3 using aws-sdk?
aws-amplify Authentication...how to access tokens on successful Auth.signIn?
Pagination with DynamoDBMapper Java AWS SDK
unable to call firefox from selenium in python on AWS machine
Amazon RDS MySQL instance performs very slow
What is the minimum healthy percent and maximum percent in Amazon ECS
How to query cloudwatch logs using boto3 in python
A client error (400) occurred when calling the HeadObject operation: Bad Request Completed 1 part(s) with ... file(s) remaining
Transferring Files between two EC2 Instances in the same region
AWS CLI: ECR list-images, get newest
Get hosted zone for cloudfront distribution
Amazon DynamoDB mapping enums
How to list _all_ objects in Amazon S3 bucket?
How to delete untagged images from AWS ECR Container Registry
Remotely debugging my node app that is hosted on AWS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!