How to access private API Gateway over on-prem/VPN?

Question

I have created an API gateway to run a Lambda function. This is meant to be used as an internal service so my API gateway is private. In order to make the API gateway accessible privately I did the following:

1. Created a VPC endpoint in a couple of subnets of our VPC
2. Added the endpoint to a security group that only allows traffic from on-prem
3. Added a resource policy to the API gateway that only allows requests from the VPC endpoint

These steps effectively block public requests and allow requests from on-prem through the DNS names created by the VPC endpoint.

The problem with this approach is in order to call the API one has to specify the either the Host or x-apigw-api-id in the request. The goal is for users to be able to go on their browsers, type in the URL and query string parameters, and get a response from the service.

Amazon API Gateway types, use cases and performance talks about an approach to avoid having to specify the API id or host, but it doesn't provide much detail. The relevant portion says the solution would be:

Place an Application Load Balancer with an SSL certificate (e.g. api.mydomain.com) in front of the IP addresses of your PrivateLink network interfaces. Also deploy a custom domain name for api.mydomain.com and a base path mapping for your API Gateway. Then add a Route 53 record that points api.mydomain.com as an alias to your ALB. This solution is quite complex, but we’ve tested it and it works. Describing the full solution is outside the scope of this post, but we might write a separate blog post about it later.

Does anyone know how to do this or a different approach?

Answer 1

The recommended way of implementing this access pattern is to explicitly associate interface VPC endpoint with private API gateway:

aws apigateway update-rest-api \
    --rest-api-id u67n3ov968 \
    --patch-operations "op='add',path='/endpointConfiguration/vpcEndpointIds',value='vpce-01d622316a7df47f9'"
    --region us-east-1

This will create a new publicly resolvable DNS name that is resolved to VPC endpoint private IP addresses:

> nslookup u67n3ov968-vpce-01d622316a7df47f9.execute-api.us-east-1.amazonaws.com    

Non-authoritative answer:
Name:   u67n3ov968-vpce-01d622316a7df47f9.execute-api.us-east-1.amazonaws.com
Address: 10.0.0.200
Name:   u67n3ov968-vpce-01d622316a7df47f9.execute-api.us-east-1.amazonaws.com
Address: 10.0.0.155

On-premises clients can use this DNS name to call private API gateway without passing the header or overriding the Host.

Answer 2

I found out the answer to this question so I thought I should share it in case anyone else is wondering how to do this. I reached out to the person who wrote the post above and he gave me some pointers. He later wrote a post explaining the solution, if my summation of it is confusing you can read his post here:

https://cloudbanshee.com/blog/connecting-to-private-api-over-vpn-or-vpc-peering

Essentially, once you have your private API Gateway VPC endpoint and ALB, this is what you need to do:

• Create a custom domain name using the same certificate as the ALB listener
• Add base path mappings for the desired stages of an API gateway you want to connect to
• Add a route53 record with the custom domain name as the name and the ALB DNS as the target (or if you have your own DNS server add the record there
• Create a target group of type IP for the ALB and add the IPs for the VPC endpoints
• In the ALB listener, create rules that send traffic to the target group when the url matches the custom domain name and the path matches the base path mapping defined for the API gateway

The thing that I was missing and that makes this work is the base path mapping. That is how the ALB knows which API gateway to route traffic to without knowing any IDs or Host names.

The post I shared is more detailed and much better written. I'd recommend anyone interested in learning how to access an API Gateway privately to read it.