{"id":57069,"date":"2023-04-13T12:44:09","date_gmt":"2023-04-13T07:14:09","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=57069"},"modified":"2023-04-14T13:21:41","modified_gmt":"2023-04-14T07:51:41","slug":"connect-aws-api-gateway-from-another-aws-account-on-a-private-communication-channel","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/connect-aws-api-gateway-from-another-aws-account-on-a-private-communication-channel\/","title":{"rendered":"Connect AWS API Gateway from another AWS account on a private communication channel"},"content":{"rendered":"<h2><b>What is API and API Gateway<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Amazon API Gateway is a service that you can use to create application programming interfaces. Those are essentially the front door to your business logic or your applications on AWS. With the <\/span><span style=\"font-weight: 400;\">rapid increase in the use<\/span><span style=\"font-weight: 400;\"> of mobile devices and the rise of the Internet of Things (IoT), due to this mostly backend systems and data are accessible to applications via APIs. To make it easy for you to use these APIs, API Gateway can generate client SDKs for a number of languages, including JavaScript, iOS, and Android. Using API Gateway, you can quickly and easily create a custom API for your application code\u00a0 and then call the Lambda function from your API. Using the API Gateway console, you can create your REST API and its associated resources and methods, manage your API lifecycle, generate your client SDKs, and view API metrics.<\/span><\/p>\n<h1><b>Benefits of API Gateway on private network<\/b><\/h1>\n<p><span style=\"font-weight: 400;\">Amazon API Gateway is used to build RESTful and HTTP APIs. If the use of those APIs is limited to internal clients, customers prefer to use private APIs, because private APIs provide a secure means to invoke APIs via an interface VPC endpoint. API Gateway private integration makes it simple to expose your HTTP\/HTTPS resources behind an Amazon VPC, for access by clients outside of the VPC. AWS provides all the security measures at different security layers to secure API gateway private integration. VPC resources such as Elastic Network Interface (ENI) and other associated resources can be secured by using a security group. Additionally resource policies are also applied to VPC endpoints to make it more secure.<\/span><\/p>\n<h2><b>Solution<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">VPC endpoint can be used to access the API gateway from another AWS account on a private network. Solution implementation steps are shown below.<\/span><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57068 size-large\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-1024x442.png\" alt=\"\" width=\"625\" height=\"270\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-1024x442.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-300x130.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-768x332.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-1536x664.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect-624x270.png 624w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/Architect.png 1560w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<h2><b>Implementation Steps<\/b><\/h2>\n<ul>\n<li><b>Create an VPC endpoint in an Amazon Virtual Private Cloud (Amazon VPC) in account (account A).<\/b><\/li>\n<\/ul>\n<ol>\n<li><span style=\"font-weight: 400;\">Goto VPC Management Console.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">In the navigation pane, choose Endpoints, Create Endpoint.\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-57062\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/1-1-300x94.png\" alt=\"\" width=\"300\" height=\"94\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/1-1-300x94.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/1-1.png 545w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Select AWS services for the service category.<br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Select com.amazonaws.&lt;region-name&gt;.execute-api for the service name.<br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Choose the VPC that you want to create the endpoint in<\/span><span style=\"font-weight: 400;\"> for the VPC field.<br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">For Subnets, choose the subnets (Availability Zones) in which to create the endpoint network interfaces. To achieve high availability for your API, choose multiple subnets.<br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Check Enable DNS name option.<br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">select the security group to associate with the VPC endpoint network interfaces.<br \/>\n<\/span><b>Note :- Selected security group must allow HTTPS inbound traffic on TCP port 443 from the required IP ranges<\/b><b>.<\/b><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Select Full Access for the policy and finally click on the Create endpoint button.\n<p><\/span><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57063 size-full\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1.png\" alt=\"\" width=\"774\" height=\"805\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1.png 774w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1-288x300.png 288w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1-768x799.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1-624x649.png 624w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/2-1-24x24.png 24w\" sizes=\"(max-width: 774px) 100vw, 774px\" \/><br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57064 size-full\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/3.png\" alt=\"\" width=\"780\" height=\"209\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/3.png 780w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/3-300x80.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/3-768x206.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/3-624x167.png 624w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">\u00a0Configure a rule in security group that allow TCP Port 443 inbound HTTPS traffic.<br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">After you choose Create endpoint and VPC endpoint will be created, Now copy the VPC Endpoint ID of your new interface endpoint (for example: vpce-1a2b3c456d7e89012). Then, choose Close.\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57065 size-large\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/4-1024x186.png\" alt=\"\" width=\"625\" height=\"114\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/4-1024x186.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/4-300x55.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/4-768x140.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/4-624x114.png 624w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/4.png 1297w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<p><\/span><\/li>\n<\/ol>\n<ul>\n<li>\n<h2><b>Create an API Gateway in a second account (account B).<\/b><\/h2>\n<\/li>\n<\/ul>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Goto API Gateway Console<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Choose Create API<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Under REST API, choose Build.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Enter a name for API Name.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">For Endpoint Type, choose <\/span><span style=\"font-weight: 400;\">Private.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Choose Create API.<\/span><\/li>\n<\/ol>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57066 size-large\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/5-1024x178.png\" alt=\"\" width=\"625\" height=\"109\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/5-1024x178.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/5-300x52.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/5-768x133.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/5-624x108.png 624w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/5.png 1511w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-57067 size-large\" src=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/6-1024x575.png\" alt=\"\" width=\"625\" height=\"351\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2023\/04\/6-1024x575.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/6-300x168.png 300w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/6-768x431.png 768w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/6-624x350.png 624w, \/blog\/wp-ttn-blog\/uploads\/2023\/04\/6.png 1533w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<ul>\n<li>\n<h2><b>Configure a resource policy for the API Gateway to allow the VPC endpoint of Account A.<\/b><\/h2>\n<\/li>\n<\/ul>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In the left navigation pane of the API Gateway console, under your API, choose Resource Policy.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">On the Resource Policy page, use the below resource policy into the text box:<\/span><\/li>\n<\/ol>\n<pre><span style=\"font-weight: 400;\">\u00a0{<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\"Version\": \"2012-10-17\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\"Statement\": [<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0{<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Deny\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Principal\": \"*\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": \"execute-api:Invoke\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"execute-api:\/*\/*\/*\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Condition\": {<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"StringNotEquals\": {<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"aws:sourceVpce\": \"&lt;VPC-endpoint ID&gt;\"<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0},<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0{<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Principal\": \"*\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": \"execute-api:Invoke\",<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"execute-api:\/*\/*\/*\"<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n\r\n<span style=\"font-weight: 400;\">\u00a0\u00a0]<\/span>\r\n\r\n<span style=\"font-weight: 400;\">}<\/span><\/pre>\n<ul>\n<li style=\"font-weight: 400;\">\n<h2><span style=\"font-weight: 400;\">\u00a0\u00a0<\/span><b>Set up a method for the private REST API<\/b><\/h2>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u00a0<\/span> <span style=\"font-weight: 400;\">Please refer to a link to <\/span><a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/how-to-method-settings.html\"><span style=\"font-weight: 400;\">Set up REST API methods in API Gateway<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<ul>\n<li>\n<h3><b>Deploy the private REST API<\/b><\/h3>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u00a0 \u00a0Please refer to a link to <\/span><a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/apigateway-private-apis.html#apigateway-private-api-deploy-using-console\"><span style=\"font-weight: 400;\">Deploy a private API using the API Gateway<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<ul>\n<li>\n<h3><b>Testing the private REST API from account A<\/b><\/h3>\n<\/li>\n<\/ul>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In account A, launch an Amazon Elastic Compute Cloud (Amazon EC2) instance in the same Amazon VPC as your interface endpoint.<br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Connect to the Amazon EC2 instance.<br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">From the command line of your Amazon EC2 instance, use any of the following curl commands to call the private REST API in account B.<\/span><\/li>\n<\/ol>\n<p><b>\u00a0\u00a0curl -i https:\/\/&lt;api-gateway-id&gt;.execute-api.&lt;region-name&gt;.amazonaws.com\/stage-name<\/b><\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This blog demonstrates how to connect API Gateway from another AWS account using VPC endpoints on a private network with all the security measures at different security layers. Benefits of using the API Gateway on a private network that it reduces the attack surface and decreases the network latency.<\/span><\/p>\n<div class=\"ap-custom-wrapper\"><\/div><!--ap-custom-wrapper-->","protected":false},"excerpt":{"rendered":"<p>What is API and API Gateway Amazon API Gateway is a service that you can use to create application programming interfaces. Those are essentially the front door to your business logic or your applications on AWS. With the rapid increase in the use of mobile devices and the rise of the Internet of Things (IoT), [&hellip;]<\/p>\n","protected":false},"author":1563,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":308},"categories":[4682],"tags":[3817,248,5170],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57069"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1563"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=57069"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57069\/revisions"}],"predecessor-version":[{"id":57091,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57069\/revisions\/57091"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=57069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=57069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=57069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}