问题
Using Amazon Kinesis Data Firehose with AWS PrivateLink tells Firehose VPC endpoint keeps the traffic between VPC and Firehose within AWS.
You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Kinesis Data Firehose from leaving the Amazon network.
When API Gateway invokes PutRecord API of Firehose via the AWS integration, does the traffic goes through the Firehose VPC endpoint or goes to the Internet?
Updates
The Introducing Amazon API Gateway Private Endpoints shows the diagram where EC2 and Lambda are in VPC. "All publicly available endpoints" go to the Internet and not sure of if API Gateway recognize if Firehose private endpoint exists or not and route the traffic there.
回答1:
The example with DynamoDB
and EC2
is about Gateway VPC Endpoints.
For API Gateway
, there is no Gateway VPC Endpoint.
Instead there are Interface VPC Endpoints (AWS PrivateLink)
and Gateway private integrations.
Before I begin, it needs to be mentioned that there are three API Endpoint types Choice of the API Gateway endpoint type has important consequences when working with VPC.
Interface VPC Endpoint for API Gateway
It allows e.g. EC2 instance in private and public subnets to access your API Gateway using AWS internal network,
without going over Interent. For this to work the API Gateway endpoint must be configured as private
.
In this case API Gateway works with kinesis as usual. No need to do anything except to setup AWS integration for it.
For instance, a private EC2 instance (in private subnet) will be able to access the private
API Gateway endpoint
through the interface VPC endpoint, and subsequently access the Kinesis:
Private EC2 instance -> Interface VPC Endpoint for API Gateway -> API Gateway (private) -> Kinesis
Important thing to know here is that once you create Interface VPC Endpoint for API Gateway in
your VPC, you will not
be able to connect to a regional
or edge-optimized
API gateway, even
in a public subnet. Only private
API gateway will be accessible from inside VPC when the interface
is present.
Gateway private integration
This allows your public (i.e. regional
or edge-optimized
) API Gateway to access a private EC2 instance in a private subnet.
This is done by creating (e.g. internal) NLB
in your VPC which you connect to a VPC Link
which in
turn you associate with an API method in the API Gateway.
VPC Link
works at method level, thus your public API can have one method (e.g. /private) to
access private EC2 instance through the VPCLink
, and second method (e.g. /kinesis)
to access kinesis as usual using AWS integration.
Accessing private EC2 instance looks as follows:
API Gateway (/private method) -> VPCLink -> NLB -> private EC2 instance.
Accessing Kinesis:
API Gateway (/kinesis) -> Kinesis (through AWS integration)
You can also have your private EC2 instance communicate with Kinesis. In this case you need
VPC Interface Endpoint for Kinesis if you are not using NAT gateway
:
API Gateway (/private) -> VPCLink -> NLB -> private EC2 instance -> Interface VPC Endpoint for Kinesis -> Kinesis (AWS integration)
Hope this clarifies how API Gateway and Kinesis can interact.
p.s. AWS conventions by naming different things in a similar way causes a lot of headache.
来源:https://stackoverflow.com/questions/60769970/how-api-gateway-talk-to-firehose-vpc-endpoint