Create an Internal Amazon API Gateway with Terraform
API Gateway simplifies the calling of a group of APIs/microservices and provides a single point of entry to the application architecture. It offers different functionalities to other technologies with similar uses like Service Mesh as it provides a centralized control pane and makes it easy to manage changing endpoints.
Problem Statement
This guide’s intended use case is for infrastructure which requires a private REST API which can only be accessed from within your VPC.
Using private API integrations can add additional complexity to your infrastructure as it requires the use of additional components such as VPC Endpoints and Network Load Balancers. This guide aims to provide an outline of the infrastructure that you will need to implement an API Gateway using Terraform.
In this infrastructure, the API Gateway routes traffic forwarded from a frontend microservice to 2 backend microservices. You can find the source code for this project here:
In addition, you can find the source code for a generalised, private Amazon API Gateway module here:
Example Architecture
Guide
Private REST API
In order to create an API that is only accessible from within a VPC, you can use REST APIs with private endpoint type. This means the traffic will not leave the AWS network.
VPC Link Integration
When configuring the integration settings, specify the connection_type parameter to be VPC_LINK and for type, specify either HTTP or HTTP_PROXY. You will also need to pass the VPC Link ID in through the parameter connection_id .
DNS
Note: This method might not be the most suitable for regional or edge-optimised APIs.
To allow the frontend application to invoke the API, enable the private DNS option on the interface VPC endpoint. In order to enable private DNS, enable_dns_hostnames must be set to true in your VPC configuration.
Then pass the invoke url to your frontend microservice as an environment variable in your task definition (depending on your configuration), make sure you add the api stage at the end of the URL.
Resource Policy
Private APIs require the use of a resource policy else the deployment will fail. You can use the key aws:SourceVpce and the ID of the VPC endpoint to deny any traffic not originating from this destination.
Network Load Balancer
In order to route traffic from the API Gateway back into the VPC, an integration with a VPC link tied to an internal Network Load Balancer (NLB) is used.
This may mean that you need to migrate your existing internal Application/Classic Load Balancer to a Network type. Another option is to create a NLB in front of the existing LB however this complicates the infrastructure and increases cost. You may also need to change the protocol from HTTPS to TCP and re-configure the health checks.
Note: The new HTTP API offers more endpoint options such as ALBs, NLBs and CloudMap and is more cost effective. It is suggested to migrate from REST APIs to HTTP APIs.
Security Groups
Whilst the API Gateway doesn’t require a security group, the VPC endpoint does and it should allow inbound traffic on port 443 from the security group of the frontend application, or another service which forwards the traffic to the API Gateway.
Since the NLB doesn’t have a security group, you can get the ID of the network interfaces associated with it and allow them in the ingress security group rules of the backend applications.
In the backend root module data sources:
In the child module security group configuration create a variable:
Define the variable in the root module:
Conclusion
In this tutorial we have used Terraform to create the necessary infrastructure for an internal Amazon API Gateway. This includes: REST API with private endpoint type, VPC link integration, VPC endpoint with private DNS, resource policy, NLB and Security Group rules.
For more information on designing Amazon private API Gateways visit:
