API Gateway in AWS initially only supports HTTP endpoint exposed to the public internet. We had to use AWS Lambda to access the endpoint behind the private VPC.
Since the end of 2017, we can connect API Gateway and internal HTTP endpoint by using VPC Link directly. We tried to use VPC link to make sure our HTTP endpoint hosted by Elastic Beanstalk only accessible via API Gateway.
- Create Elastic Beanstalk with NLB
- Specify VPC type in request integration
- Deploy API Gateway to the target stage
- Specify stage variables
Create Elastic Beanstalk with NLB
First, we need to create our Elastic Beanstalk application with the network load balancer. As VPC link only supports routing to the network load balancer, an application load balancer (ALB) and classic load balancer cannot be used. You can create NLB via AWS console without any difficulties. Here is the instruction.
Specify VPC type integration
In the configuration of integration request, it is necessary to specify VPC Link type. You can do that in AWS console as follows.
It’s also necessary to specify VPC link ID and endpoint as stage variables if you want to use different upstream endpoint by stages. All stage variables are stored in the parent object stageVariables
. So your variable should be referred here such as ${stageVariables.vpcLinkId}
.
Deploy API Gateway to the target stage
Then we can deploy the API Gateway implementation so that it can be visible from the public internet.
The root path of the deployed endpoint will be the stage name. For example, if you deploy an API to the stage development
, the URL visible from the public internet will be https://<API Gateway ID>.execute-api.<Region>.amazonaws.com/development/path/to/resource
.
Set stage variable
We need to specify the stage variables that are defined in step 2. This console is shown when you click the stage name in the Stages
tab.
In this case, we need to define both vpcLinkId
and url
variables.
Then your internal endpoint will be accessible from the public internet. One big advantage is that it enables us to limit the all possible connection through API Gateway. We can have access control and resource quota in API Gateway without modifying the application code. It makes life significantly easy.