Search code examples
amazon-web-servicesaws-lambdaaws-api-gatewayamazon-vpc

AWS ECS Fargate invoke lambda via private API gateway in same subnet

Currently I have an AWS ECS Fargate "Service A" running in a subnet. (The subnet is public to allow incoming traffic from the public Internet, but don't know if that is relevant.) Service A makes a connection within the same subnet to "Service B", another ECS Fargate service. Service A looks up Service B using its AWS Service Connect name.

Even though Service B is in a public subnet, there is no way for any client on the public Internet to even attempt to call it, that I know of, as it exposes no public URL.

Service B is simple and I would like to replace it with a lambda. I'm reading that I might want to put an API gateway in front of the lambda so as to provide it with a general interface and not expose the lambda interface, even if this is a private service. Therefore I would be replacing Service B with an API gateway that calls a lambda.

However it's not clear to me from reading the documentation how to create an API gateway within a subnet without exposing a public URL. Perhaps some of the difficulty is that AWS API Gateway provides different options with special names that aren't always self-explanatory.

What sort of AWS API Gateway (backed by a private lambda) can I create that an ECS Fargate service could call from within the same subnet, without exposing a public URL for the API Gateway?

Someone pointed me to Creating a private API in Amazon API Gateway, and that's part of the documentation I was referring to when I said "it's not clear to me". That document says I'm required to create a VPC Endpoint (which has extra cost involved, etc.) However currently my ECS Fargate services described above can talk to each other without creating a VPC endpoint. My Service B provides a RESTful API, but doesn't need a VPC Endpoint for Service A to call it. If I replace Service B with an API Gateway and a lambda, will that require that I create a VPC Endpoint that I didn't need before?

Furthermore doesn't the VPC endpoint create a full URL endpoint? Is this URL endpoint routable from the public Internet, or is it only accessible within the VPC? Maybe someone could provide a simplifying summary.

Solution

  • Your scenario is simple enough that you don't need an API Gateway to call your private Lambda function.

    If you want to use an API Gateway, you will unfortunately need a VPC Endpoint.
    This is different from your current Fargate-to-Fargate interaction: in the latter case, services like ECS, EC2, Lambda with VPC enabled, RDS, etc., are deployed within your VPC; however, the API Gateway, even in a private configuration, is deployed elsewhere in AWS's infrastructure.
    The difference between a public and private API Gateway lies in their accessibility:

    • a public API Gateway is exposed to the internet
    • a private one is only reachable via a specific VPC Endpoint (and therefore a specific VPC) through PrivateLink.

    This is evident in the architectural diagram provided in the documentation for the private API Gateway:

    private API Gateway

    As you can see, the VPC and the environment where the API Gateway is deployed are two distinct spaces in the cloud, and they can communicate with each other only through the VPC Endpoint.