Allow request from API Gateway to private ALB

Question

I have a public API gateway set up, I want to forward the requests from API Gateway to a private ALB in the VPC. On AWS Console, for API Gateway VPC link setup I could only select an NLB in the VPC.

1. Is there a reason why we can only route to NLB and not to ALB?
2. Is there a way I can route to private ALB from the API Gateway?

Answer 1

edit: I see I was confusing this post with another one... I believe my answer still adds value though, so I am leaving it (I thought this specified REST API Gateways and not HTTP API Gateways, but it does not).

Answer

While @diegosasw's answer is valid and useful, it is for AWS HTTP API Gateways, not AWS REST API Gateways.

With that being said, they are correct in saying it is possible! Please see the following AWS documentation regarding how to accomplish this: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-application-load-balancers/

Please note one particular downside of AWS's documented approach: it requires a public ALB. Of course this is not ideal, though one can still harden their ALB so that it only accepts traffic originating from the REST API Gateway. If this is not acceptable for the existing use case, then @Suraj Bhatia's answer above must be followed (for REST API integrations, at least). If HTTP Gateways are acceptable, then @diegosasw's answer is the better approach to take due to it being simpler to manage and still allowing for a private ALB 🙂

For prosperity, AWS's documentation states the following:

Note: The following procedure assumes two things:

You have access to a public Application Load Balancer and its DNS name. You have an API Gateway REST API resource with an HTTP method.

1. In the API Gateway console, choose the API you want to integrate with the Application Load Balancer.

2. In the Resources pane, for Methods, choose the HTTP method that your API uses.

3. Choose Integration Request.

4. In the Integration Request pane, for Integration Type, choose HTTP.

Note: To pass the entire API request and its parameters to the backend Application Load Balancer, create one of the following instead: An HTTP proxy integration -or- An HTTP custom integration

For more information, see Set up HTTP integrations in API Gateway.

5. In the Endpoint URL field, enter either the Application Load Balancer's default DNS name or custom DNS name. Then, add the configured protocol of its listener. For example, an Application Load Balancer that's configured with an HTTPS listener on port 8080 requires the following endpoint URL format: https://domain-name:8080/

Important: Make sure that you create an HTTP listener or HTTPS listener for the Application Load Balancer using the port and listener rules of your choice. For more information, see Listeners for your Application Load Balancers. For an Application Load Balancer configured with an HTTPS listener, the associated certificate must be issued by an API Gateway-supported certificate authority. If you have to use a certificate that's self-signed or issued by a private certificate authority, then set insecureSkipVerification to true in the integration's tlsConfig.

6. Choose Save.

7. Deploy the API.

Answer 2

The selected answer is outdated. It is possible to have API Gateway integrate, thorugh http, with an internal facing ALB by using VPC Link and private resource integration.

For step by step details, see my answer on another question: https://stackoverflow.com/a/67413951/2948212

Answer 3

Currently AWS only supports connecting to NLB for VPC link integrations. They have a feature request in place to enable support for ALB as well. For now, you can do -

Public API --> VPC Link --> NLB --> ALB

In the target groups of the NLB, add the private IPs of the ALB. This way you can reap benefits of the NLB (TCP layer) and ALB (HTTPS).

Using static IP addresses for Application Load Balancers