Support VPC - Link #5025
Comments
|
This is a duplication of #5052, closing. |
|
A vpc-link is not the same thing as a Private API Gateway. A Private API gateway is in a VPC and is not publicly accessible, it is only accessible from within its VPC. "This allows me to run an API gateway that only I can hit." vs A Public API Gateway using a VPC-link to access resources within a private VPC. Amazon API Gateway Supports Endpoint Integrations with Private VPCs "This allows me to run an EC2 instances within a VPC that only my public API Gateway can hit" |
|
correct me if I'm wrong but #5080 implements a Private API Gateway only. not a public API Gateway that access private resources within a VPC via a VPC-Link? |
|
@jamesleech I tend to agree with you. I would like to be able to define API endpoints that use VPC-Link via serverless |
|
A lot of stuff to do for a PR ... It's EOD for me -- I'm lazy. So, in the meantime, here's the solution: Within this block: Add this if (http.connectionType && http.connectionType == 'vpc-link') {
_.assign(integration, {
ConnectionType: 'VPC_LINK',
ConnectionId: http.connectionId
});
}Your new block should look like: } else if (type === 'HTTP' || type === 'HTTP_PROXY') {
_.assign(integration, {
Uri: http.request && http.request.uri,
IntegrationHttpMethod: _.toUpper((http.request && http.request.method) || http.method),
});
if (http.connectionType && http.connectionType == 'vpc-link') {
_.assign(integration, {
ConnectionType: 'VPC_LINK',
ConnectionId: http.connectionId
});
}You can find the file locally on your computer at: I seriously just edited my local file and got it functional. Here's the new YAML configuration for it. Within your function events: - http:
path: v1/gpcentre
method: get
integration: http-proxy
connectionType: vpc-link
connectionId: "{your-vpc-id}"
cors: true
request:
uri: http://www.gpcentre.net/
method: getAdd the two new keys: I noticed Serverless does a conversion of I hope this gets some people unstuck on an almost 1 year old request. It'll probably take a few hours or more to build all the added requirements around making a PRs. 😂 |
|
@guice Wondering if you can publish it as a plugin. :) I wonder if there is a plan to support it as part of framework itself? |
|
@imsatyam That would be a question for @horike37. I don't believe it would make sense to pull this into a plugin since its a baseline feature of API Gateway. @guice; amazing work. If I have time this week I might submit a PR. I'll ping you if I can get it together for a review. My team ended up writing raw Cloud Formation to get this implementation working. |
|
@guice , @brendanfmartin - I spent some time today to create the PR. Please review. |
|
Do we have plan to merge @imsatyam PR? Does it solve the feature of adding support for VPC-Link? |
|
Thank @imsatyam, you're functionality works perfectly in your PR! We have a use case where we're migrating away from Lambdas to Fargate, but still want to use the serverless framework for managing CloudFormation. We also still want to use the authorization logic inside API gateway. We're using the same serverless.yaml to spin up a new API gateway, however, it doesn't look like serverless supports doing this without uploading Lambdas. Do you think there's a use case for using the serverless framework to manage the deployment API gateway's with VPC linked methods without uploading any Lambdas? Is it worth putting this in a new issue when merged for discussion? |
Add support for vpc link integration discussed as part of #5025
For feature proposals:
This feature makes it possible to restrict access to api-gateway and make the solution only internally available.
https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/?nc1=h_ls
Advantage: Security Enhancement
-> no public access
-> internal microservices not accessible
-> internal enterprise solutions possible - no webapplication firewall needed -> lower costs and less senseless work
The text was updated successfully, but these errors were encountered: