Expose And Access Private API in Amazon API-Gateway
In Amazon API-Gateway, you can expose private APIs that can be accessed within your defined VPC. This service can be accessed by VPC Endpoints. This is required when you want to access defined private API on a cloud with the same account or different.
If you see the below diagram, the EC2 instance is placed in a private and public network. The private EC2 instance is trying to access API 2 (API Gateway) which is also in private. There is no inbound public call towards an API2.
To create a private endpoint we will go through the following topics
- Create VPC Endpoint.
- Expose Private API.
- Define API Resource Policy.
- Invoke Private API within VPC network.
This is going to be an interesting.
- Create VPC Endpoint.
VPC Endpoints enables private connections between your VPC and supported AWS service. It also enables PrivateLink which means the service can be accessed by private IP Addresses. It is a mediator of your private resources. To access AWS service privately VPC Endpoint also used because all AWS service calls wired to internet only.
Let’s see how you can create VPC Endpoint. To create a VPC Endpoint please make sure that you have created a VPC in your AWS account which should have private subnets and also have a security group. Define a security group based on your application needs.
- Go to AWS console and search VPC Endpoint and click on Create Endpoint.
- After clicking, select AWS Service and search with this service name: com.amazonaws.ap-south-1.execute-api. This says we need an endpoint for executing APIs from API-Gateway. After selecting a VPC and your private subnets and enable DNS hostname.
- Select a security group to associate your endpoint network interface and define your endpoint policy. Also, you can define your custom endpoint policy to restrict some level of access. Follow this link to know more about endpoint policies: Endpoint Policy DOC. By default, AWS allows full access. For this endpoint, we will give full access to this demo.
After, Click on Create Endpoint button. We finished stage 1. Wait for some time for an endpoint to be created. After creation, you will get Endpoint Id. Just take for reference. That will be used in further steps. Let’s go for 2nd stage.
2. Expose Private API.
For this, we will expose an API that will trigger the lambda function. I already created a lambda function in the same VPC and in the private with the same security group that I defined in VPC Endpoint. If you are new to this, please follow this link: Lambda Doc
Follow the below steps to expose private API.
- Go to Amazon API Gateway from the console. Choose REST API. Select New API. In the settings give API name. As Endpoint type select Private. For Endpoint Id just pass Endpoint Id what you have received while creating a VPC Endpoint. After all correct selections click on Create API.
- Create a resource by clicking on the Action button. After creating a resource define your method type by selecting the resource. For me, I defined GET. You can define as per your need. After defining select integration type as lambda function and select your lambda function and do a save.
We completed stage 2. Now we will define resource policy in stage 3.
3. Define custom policy for API Gateway.
This is the amazing future of AWS. It allows us to define a custom policy. With this, we can allow/deny multiple AWS accounts for access to API. For example, we define only the GET method for user X that can allow/deny the POST method to AWS Account: 444230012. You can follow this link to know more about policies API-Gateway Resource Policy Doc.
I am attaching the custom policy for this API-Gateway. You can use this resource policy, or you can customize a policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*"
}
]
}
For deployment click on the Action button and define the stage name. After this, you will get your API endpoint.
After deployment, you will get a URL like: https://42lro0aj6l.execute-api.ap-south-1.amazonaws.com/dev.
This URL has meaning: <protocol> : // <API-Gateway ID>. <operation>. <REGION>.amazonaws.com/<ENV_NAME>.
To get your resource endpoint just append your resource name after your environment name.
For me, It should be like https://42lro0aj6l.execute-api.ap-south-1.amazonaws.com/dev/call-me.
4. Invoke private API.
Now, We set up everything as a point of API-Gateway. Now we invoke this lambda function from another lambda function.
Create a lambda function with the same VPC, subnets, and security group. I am using the node.js Axios library to invoke a function. You can use any language to invoke API. You can clone this repo where I wrote some sample code that calls API through the Axios library.
Code Repo Link: https://github.com/priyank333/Private_API_Demo.git
You can see the below screenshot. I am getting a message from my private lambda function.
Conclusion:
Use this private VPC endpoint and API-Gateway when you don’t want to wire your call through the internet because of security for your application. VPC endpoint is required which has a job to make internal calls specific to VPC, subnet, and security groups, and API-Gateway which make sure that it can’t access from the internet.
I hope it helps you to understand private API in AWS. For more information you can go to AWS Doc site.