Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon API Gateway in front of ELB and ECS Cluster

I'm trying to put an Amazon API Gateway in front of an Application Load Balancer, which balances traffic to my ECS Cluster, where all my microservices are deployed. The motivation to use the API Gateway is to use a custom authorizer through a lambda function.

System diagram

enter image description here

In Amazon words (https://aws.amazon.com/api-gateway/faqs/): "Proxy requests to backend operations also need to be publicly accessible on the Internet". This forces me to make the ELB public (internet-facing) instead of internal. Then, I need a way to ensure that only the API Gateway is able to access the ELB outside the VPC.

My first idea was to use a Client Certificate in the API Gatway, but the ELB doesn't seem to support it.

Any ideas would be highly appreciated!

like image 648
Ricardo García Martín Avatar asked Jan 31 '17 12:01

Ricardo García Martín


People also ask

Does API gateway come before or after load balancer?

Load balancing the API Gateway'sThere must be a load balancer for the API gateway that can adapt to changes in microservices, such as versioning and dynamic scaling.

Can we use both API gateway and load balancer?

TL;DR: yes, API Gateway can replace what a Load Balancer would usually provide, with a simpler interface and many more features on top of it. The downside is that it doesn't come cheap. Load balancers have been one of the most common ways to expose a backend API to the public or even to an internal/private audience.

Does API gateway support alb?

It is definitely possible to use API Gateway http integrated with a private (i.e: internal facing) ALB that balances traffic in private subnets.


1 Answers

This seems to be a huge missing piece for the API gateway technology, given the way it's pushed. Not being able to call into an internal-facing server in the VPC severely restricts its usefulness as an authentication front-door for internet access. FWIW, in Azure, API Management supports this out of the box - it can accept requests from the internet and call directly into your virtual network which is otherwise firewalled off. The only way this seems to be possible under AWS is using Lambdas, which adds a significant layer of complexity, esp. if you need to support various binary protocols.

like image 139
Dylan Nicholson Avatar answered Sep 30 '22 04:09

Dylan Nicholson