API Gateway in AWS initially only supports HTTP endpoint exposed to the public internet. We had to use AWS Lambda to access the endpoint behind the private VPC.
Since the end of 2017, we can connect API Gateway and internal HTTP endpoint by using VPC Link directly. We tried to use VPC link to make sure our HTTP endpoint hosted by Elastic Beanstalk only accessible via API Gateway.
First, we need to create our Elastic Beanstalk application with the network load balancer. As VPC link only supports routing to the network load balancer, an application load balancer (ALB) and classic load balancer cannot be used. You can create NLB via AWS console without any difficulties. Here is the instruction.
In the configuration of integration request, it is necessary to specify VPC Link type. You can do that in AWS console as follows.
It’s also necessary to specify VPC link ID and endpoint as stage variables if you want to use different upstream endpoint by stages. All stage variables are stored in the parent object
stageVariables. So your variable should be referred here such as
Then we can deploy the API Gateway implementation so that it can be visible from the public internet.
The root path of the deployed endpoint will be the stage name. For example, if you deploy an API to the stage
development, the URL visible from the public internet will be
https://<API Gateway ID>.execute-api.<Region>.amazonaws.com/development/path/to/resource.
We need to specify the stage variables that are defined in step 2. This console is shown when you click the stage name in the
In this case, we need to define both
Then your internal endpoint will be accessible from the public internet. One big advantage is that it enables us to limit the all possible connection through API Gateway. We can have access control and resource quota in API Gateway without modifying the application code. It makes life significantly easy.Written on January 4th, 2019 by Kai Sasaki