3

I'm struggling to find a solution that make ALB forward traffic to API Gateway (Ideally private). Below is the flow:

Domain => ALB => API Gateway.

How can we make ALB forward traffic to private API Gateway?

Chuong Nguyen
  • 1,077
  • 6
  • 15

1 Answers1

1

I do not think you can do this reliably. The only way I can think of is to use IP address type in your ALB's target group. This would have to be private IP address of your private API gateway interface endpoint in the VPC.

The problem is that private IP is probably not guaranteed to be static. Thus you should always use DNS name of the gateway, but ALB will not accept the DNS name. It can only take IP address.

So you can try and use the private IP address as target, and if IP changes too much you have to develop custom solution to monitor the IPs and update your ALB target groups.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thank you for your answer Marcin. That is what I doing now, using the private IP from Network Interfaces attached to the API Gateway. But I faced some IP changes so that why I asked to get a better and more stable solution – Chuong Nguyen Aug 16 '22 at 10:50
  • @AshBlake You could have lambda on schedule monitoring those IPs and doing the updates when needed. Not sure if there is any automated notification mechanism when those IP changes. – Marcin Aug 16 '22 at 10:51
  • I think I can do scripting to automatically get the right IP, but it will be very painful – Chuong Nguyen Aug 16 '22 at 11:08
  • @AshBlake But if the API should be accessible from the internet, why not make it actually public? – Marcin Aug 16 '22 at 11:12
  • Because it should not be publicly accessible. If it can, I can use the redirect rule, am I right? – Chuong Nguyen Aug 16 '22 at 17:42
  • 1
    @AshBlake Yes, if it was public, you could use redirect rule. – Marcin Aug 16 '22 at 23:50