I have a public API Gateway REST API that I need to connect to an internal NLB/ALB. All communications must be SSL for compliance reasons.
The current configuration is that API Gateway uses SSL for incoming connections, then proxies via VPC Link to a non-SSL private AWS Network Load Balancer, which in turn connects to an Application Load Balancer.
- Note: API Gateway REST APIs cannot use VPCLink to connect to an ALB directly, so it must connect to a NLB pointing to the ALB. HTTP APIs permit a direct connection.
GET https:///sample/api
API Gateway proxy integration (VPC Link) to NLB in a private VPC subnet
NLB Routes to a single ALB
ALB routes to the appropriate back-end server based on the characteristics of the request.
According to the API Gateway documentation, it will only permit the use of SSL certificates using a supported CA
What are my possible solutions here? I want to avoid having to get a public certificate for a private resource.
Thus far I’ve tried:
I’ve set up the ALB with a private certificate using with an internal CA.
API Gateway will not connect through to the back-end because it does not recognize the internal CA.
2
Answers
Given your requirements and the limitations of API Gateway, there are a couple of potential solutions to connect your public API Gateway REST API to an internal NLB/ALB using SSL without having to obtain a public certificate for the private resource.
Use ACM Private CA:
Amazon Certificate Manager (ACM) Private Certificate Authority allows you to create and manage a private CA that can issue private certificates for internal resources. With this approach, you can use ACM Private CA to generate SSL certificates for your internal NLB and ALB. API Gateway should recognize certificates issued by ACM Private CA, even if they are not from a public CA.
Follow these steps:
internal NLB and ALB using that private CA.
Private CA. Use the NLB endpoint as the target for your API
Gateway’s VPC Link.
the requests to the backend servers.
This way, you can maintain SSL encryption between API Gateway and the internal NLB/ALB without relying on public certificates.
For a detailed explanation and examples – refer to these (ACM private CA, ACM + ELB AWS doc and Configure Elastic Load Balancing With SSL And AWS Certificate Manager For Bitnami Applications On AWS)
Hope it helps.
hi let me se if I got your question. you want to avoid the use of a public certificate on your NLB? I understand the use of SSL in all the communication process but I can tell you that forwarding from NLB to ALB is unnecessary. instead you can use the same certificate on your NLB that is actually using the ALB and remove the ALB from the stack. about the use of certificates ¿you are using AWS CAM right?