Deploy an Amazon API Gateway API on an internal website using private endpoints and an Application Load Balancer - AWS Prescriptive Guidance

Deploy an Amazon API Gateway API on an internal website using private endpoints and an Application Load Balancer

Created by Saurabh Kothari (AWS)

Environment: Production

Technologies: Web & mobile apps; Networking; Serverless; Infrastructure

AWS services: Amazon API Gateway; Amazon Route 53; AWS Certificate Manager (ACM)

Summary

This pattern shows you how to deploy an Amazon API Gateway API on an internal website that’s accessible from an on-premises network. You learn to create a custom domain name for a private API by using an architecture that’s designed with private endpoints, an Application Load Balancer, AWS PrivateLink, and Amazon Route 53. This architecture prevents the unintended consequences of using a custom domain name and proxy server to help with domain-based routing on an API. For example, if you deploy a virtual private cloud (VPC) endpoint in a non-routable subnet, your network can’t reach API Gateway. A common solution is to use a custom domain name and then deploy the API in a routable subnet, but this can break other internal sites when the proxy configuration passes traffic (execute-api.{region}.vpce.amazonaws.com) to AWS Direct Connect. Finally, this pattern can help you meet organizational requirements for using a private API that’s unreachable from the internet and a custom domain name.

Prerequisites and limitations

Prerequisites

  • An active AWS account

  • A Server Name Indication (SNI) certificate for your website and API

  • A connection from an on-premises environment to an AWS account that’s set up by using AWS Direct Connect or AWS Site-to-Site VPN

  • A private hosted zone with a corresponding domain (for example, domain.com) that’s resolved from an on-premises network and forwards DNS queries to Route 53

  • A routable private subnet that’s reachable from an on-premises network

Limitations

For more information about quotas (formerly referred to as limits) for load balancers, rules, and other resources, see Quotas for your Application Load Balancers in the Elastic Load Balancing documentation.

Architecture

Technology stack

  • Amazon API Gateway

  • Amazon Route 53

  • Application Load Balancer

  • AWS Certificate Manager

  • AWS PrivateLink

Target architecture

The following diagram shows how an Application Load Balancer is deployed in a VPC that directs web traffic to a website target group or API Gateway target group based on Application Load Balancer listener rules. The API Gateway target group is a list of IP addresses for the VPC endpoint in API Gateway. API Gateway is configured to make the API private with its resource policy. The policy denies all calls that are not from a specific VPC endpoint. Custom domain names in API gateway are updated to use api.domain.com for the API and its stage. Application Load Balancer rules are added to route traffic based on the host name.

Architecture that uses Application Load Balancer listener rules to direct web traffic.

The diagram shows the following workflow:

  1. A user from an on-premises network tries to access an internal website. The request is sent to ui.domain.com and api.domain.com. Then, the request is resolved to the internal Application Load Balancer of the routable private subnet. The SSL is terminated at the Application Load Balancer for ui.domain.com and api.domain.com.

  2. Listener rules, configured on the Application Load Balancer, check for the host header.

    a. If the host header is api.domain.com, the request is forwarded to the API Gateway target group. The Application Load Balancer initiates a new connection to API Gateway over port 443.

    b. If the host header is ui.domain.com, the request is forwarded to the website target group.

  3. When the request reaches API Gateway, the custom domain mapping configured in API Gateway determines the hostname and which API to run.

Automation and scale

The steps in this pattern can be automated by using AWS CloudFormation or the AWS Cloud Development Kit (AWS CDK). To configure the target group of the API Gateway calls, you must use a custom resource to retrieve the IP address of the VPC endpoint. API calls to describe-vpc-endpoints and describe-network-interfaces return the IP addresses and the security group, which can be used to create the API target group of IP addresses.

Tools

  • Amazon API Gateway helps you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale.

  • Amazon Route 53 is a highly available and scalable DNS web service.

  • AWS Certificate Manager (ACM) helps you create, store, and renew public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.

  • AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code.

  • AWS PrivateLink helps you create unidirectional, private connections from your VPCs to services outside of the VPC.

Epics

TaskDescriptionSkills required

Create an SNI certificate and import the certificate into ACM.

  1. Create an SNI certificate for ui.domain.com and api.domain.com. For more information, see Choosing how CloudFront serves HTTPS requests in the Amazon CloudFront documentation.

  2. Import the SNI certificates into AWS Certificate Manager (ACM). For more information, see Importing certificates into AWS Certificate Manager in the ACM documentation.

Network administrator
TaskDescriptionSkills required

Create an interface VPC endpoint in API Gateway.

To create an interface VPC endpoint, follow the instructions from Access an AWS service using an interface VPC endpoint in the Amazon Virtual Private Cloud (Amazon VPC) documentation.

Cloud administrator
TaskDescriptionSkills required

Create a target group for your application.

Create a target group for the UI resources of your application.

Cloud administrator

Create a target group for the API Gateway endpoint.

  1. Create a target group with an IP address type, and then add the IP address of the VPC endpoint for the API Gateway endpoint to the target group.

  2. Configure health checks for your target groups with success code 403. 403 is required because the VPC endpoint for the API Gateway returns a 403 code when it is invoked without any headers by the target group health check.

Cloud administrator

Create an Application Load Balancer.

  1. Create an Application Load Balancer (internal) in a routable private subnet.

  2. Add the 443 listener to the Application Load Balancer, and the choose the certificate from ACM.

Cloud administrator

Create listeners rules.

Create listener rules to do the following:

  1. Forward the host api.domain.com to the API Gateway target group

  2. Forward the host ui.domain.com to the target group for the UI resources

Cloud administrator
TaskDescriptionSkills required

Create a private hosted zone.

Create a private hosted zone for domain.com.

Cloud administrator

Create domain records.

Create CNAME records for the following:

  • An API with the value set to the DNS name of the Application Load Balancer

  • A UI with the value set to the DNS name of the Application Load Balancer

Cloud administrator
TaskDescriptionSkills required

Create and configure a private API endpoint.

  1. To create a private API endpoint, follow the instructions from Creating a private API in Amazon API Gateway in the API Gateway documentation. 

  2. Configure the resource policy to allow calls to only the API from the VPC endpoint. For more information, see Controlling access to an API with API Gateway resource policies in the API Gateway documentation.

App developer, Cloud administrator

Create a custom domain name.

  1. Create a custom domain name for api.domain.com. For more information, see Setting up custom domain names for REST APIs in the API Gateway documentation.

  2. Select the created API and stage. For more information, see Working with API mappings for REST APIs in the API Gateway documentation.

Cloud administrator

Related resources