How API Gateway talk to Firehose VPC endpoint

谁都会走 提交于 2021-01-28 19:43:02

问题


Using Amazon Kinesis Data Firehose with AWS PrivateLink tells Firehose VPC endpoint keeps the traffic between VPC and Firehose within AWS.

You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Kinesis Data Firehose from leaving the Amazon network.

When API Gateway invokes PutRecord API of Firehose via the AWS integration, does the traffic goes through the Firehose VPC endpoint or goes to the Internet?

Updates

The Introducing Amazon API Gateway Private Endpoints shows the diagram where EC2 and Lambda are in VPC. "All publicly available endpoints" go to the Internet and not sure of if API Gateway recognize if Firehose private endpoint exists or not and route the traffic there.


回答1:


The example with DynamoDB and EC2 is about Gateway VPC Endpoints. For API Gateway, there is no Gateway VPC Endpoint. Instead there are Interface VPC Endpoints (AWS PrivateLink) and Gateway private integrations.

Before I begin, it needs to be mentioned that there are three API Endpoint types Choice of the API Gateway endpoint type has important consequences when working with VPC.

Interface VPC Endpoint for API Gateway

It allows e.g. EC2 instance in private and public subnets to access your API Gateway using AWS internal network, without going over Interent. For this to work the API Gateway endpoint must be configured as private.

In this case API Gateway works with kinesis as usual. No need to do anything except to setup AWS integration for it. For instance, a private EC2 instance (in private subnet) will be able to access the private API Gateway endpoint through the interface VPC endpoint, and subsequently access the Kinesis:

Private EC2 instance -> Interface VPC Endpoint for API Gateway -> API Gateway (private) -> Kinesis

Important thing to know here is that once you create Interface VPC Endpoint for API Gateway in your VPC, you will not be able to connect to a regional or edge-optimized API gateway, even in a public subnet. Only private API gateway will be accessible from inside VPC when the interface is present.

Gateway private integration

This allows your public (i.e. regional or edge-optimized) API Gateway to access a private EC2 instance in a private subnet. This is done by creating (e.g. internal) NLB in your VPC which you connect to a VPC Link which in turn you associate with an API method in the API Gateway.

VPC Link works at method level, thus your public API can have one method (e.g. /private) to access private EC2 instance through the VPCLink, and second method (e.g. /kinesis) to access kinesis as usual using AWS integration.

Accessing private EC2 instance looks as follows:

API Gateway (/private method) -> VPCLink -> NLB -> private EC2 instance.

Accessing Kinesis:

API Gateway (/kinesis) -> Kinesis (through AWS integration)

You can also have your private EC2 instance communicate with Kinesis. In this case you need VPC Interface Endpoint for Kinesis if you are not using NAT gateway:

API Gateway (/private) -> VPCLink -> NLB -> private EC2 instance -> Interface VPC Endpoint for Kinesis -> Kinesis (AWS integration)

Hope this clarifies how API Gateway and Kinesis can interact.

p.s. AWS conventions by naming different things in a similar way causes a lot of headache.



来源:https://stackoverflow.com/questions/60769970/how-api-gateway-talk-to-firehose-vpc-endpoint

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!