{"id":57086,"date":"2023-04-28T16:25:15","date_gmt":"2023-04-28T10:55:15","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=57086"},"modified":"2023-05-03T17:05:09","modified_gmt":"2023-05-03T11:35:09","slug":"connecting-aws-api-gateway-from-non-aws-environment-using-a-private-communication-channel","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/connecting-aws-api-gateway-from-non-aws-environment-using-a-private-communication-channel\/","title":{"rendered":"Connecting AWS API Gateway from Non AWS Environment using a private communication channel"},"content":{"rendered":"

\u00a0What is API Gateway<\/b><\/h2>\n

An API gateway is an API management tool between a client and a collection of backend services. An API gateway acts as a reverse proxy to accept all application programming interface (API) calls, aggregate the services required to fulfill them, and return the appropriate result.<\/span><\/p>\n

Problem Statement<\/b><\/h2>\n

How to access a Private API endpoint URL hosted on AWS from a client hosted in a Non-AWS environment?<\/span><\/p>\n

Solution<\/b><\/h2>\n

Create a Site-to-Site VPN connection between the On Premise\/Other Cloud (Eg, Azure) and AWS environment and configure the tunnels between them.<\/span><\/p>\n

Steps to Create a Site-to-Site VPN Connection<\/span><\/h3>\n

(Taking Reference of Azure as Non-AWS env)<\/b><\/p>\n

    \n
  1. Create Azure Virtual Network Gateway<\/span><\/li>\n<\/ol>\n

    This needs to be done by the Azure team (Client\/Requester end), and note the Public IP address which is used while performing this step.<\/span><\/p>\n

      \n
    1. Create AWS Customer Gateways<\/span><\/li>\n<\/ol>\n

      While creating the AWS Customer Gateway, put the IP address which was copied in Step 1 in the below highlighted field.<\/span><\/p>\n

      \"\"<\/p>\n

        \n
      1. Create AWS Virtual Private Gateway<\/span><\/li>\n<\/ol>\n

        \u00a0\u00a0\u00a0\u00a0Create AWS Virtual Private Gateway and attach it to the VPC<\/span><\/p>\n

        \"\"<\/p>\n

        \"\"<\/p>\n

        \"\"<\/p>\n

          \n
        1. Create AWS Site-to-Site VPN Connections<\/span><\/li>\n<\/ol>\n

          Enter the details in the requested fields:<\/span><\/p>\n

            \n
          • The target gateway type should be a Virtual private gateway, as selected in the above picture.<\/span><\/li>\n
          • Choose the Virtual private gateway created in the above step.<\/span><\/li>\n
          • Choose the Customer gateway created in the above step.<\/span><\/li>\n
          • Choose Routing options as static and enter the IPs.<\/span><\/li>\n
          • Put the values in Local and Remote IPv4 network CIDR.<\/span><\/li>\n
          • Later update the tunnel configurations for both tunnels, like entering the Pre-shared key used on the Client side, selecting the algorithms that both the client and server support, can keep others values as default, and enabling logging if required.<\/span><\/li>\n<\/ul>\n
              \n
            1. Once the tunnels are created, share the Outside IP Addresses of tunnels with the Azure team so that they can configure them in Azure Local Network Gateways.
              \n<\/span><\/li>\n
            2. The next step is to Create Azure connections. While creating connections, kindly put similar configurations which were used while creating tunnels at the AWS end in the above step.\u00a0<\/span><\/li>\n<\/ol>\n

              Once the setup is done correctly, Status will be connected at both AWS and Azure end.<\/span><\/p>\n

                \n
              1. Add VPN Route table to AWS VM subnet. This step will redirect all traffic from the AWS VM subnet to Azure Network through VPN by configuring the AWS Route table.<\/span><\/li>\n<\/ol>\n
                  \n
                • \u00a0\u00a0Add Routes in the route table.<\/span><\/li>\n<\/ul>\n

                  \"\"<\/p>\n

                    \n
                  • Now add Static Routes.\u00a0<\/span><\/li>\n<\/ul>\n

                    \"\"<\/p>\n

                    After the above steps, Tunnels should be established between Azure and AWS.<\/span><\/p>\n

                    Note: Both the tunnels should be UP in order to provide high availability.\u00a0\u00a0<\/span><\/p>\n

                    Implementation Plan for Connectivity from a Non-AWS Environment<\/b><\/h2>\n

                    Steps to connect AWS Private API Endpoint URL from Azure<\/b><\/h2>\n

                    \"\"<\/p>\n

                      \n
                    1. Create Azure Virtual Network Gateway (Takes about 30 – 45 mins)<\/span><\/li>\n
                    2. Create AWS Customer Gateways<\/span><\/li>\n
                    3. Create AWS Virtual Private Gateways<\/span><\/li>\n
                    4. Create AWS Site-to-Site VPN Connections<\/span><\/li>\n
                    5. Create Azure Local Network Gateways<\/span><\/li>\n
                    6. Create Azure Connections<\/span><\/li>\n
                    7. Add VPN route table to AWS VM Subnet<\/span><\/li>\n<\/ol>\n

                      Prerequisites:<\/b><\/p>\n

                        \n
                      1. Site-to-Site VPN connection should be established between Azure and AWS environment, and tunnels should be up.<\/span><\/li>\n
                      2. Source IPs should be allowed at Static routes in VPN, Route tables associated with VPC, and WAF if WAF is used.<\/span><\/li>\n
                      3. VPC Endpoint is created to access and invoke API service.<\/span><\/li>\n<\/ol>\n

                        Steps to connect AWS Private API Endpoint URL from On Premise \/ DC<\/b><\/h2>\n

                        \"\"<\/p>\n

                        \"\"<\/p>\n

                          \n
                        1. The client calls the private API endpoint URL (eg – GET https:\/\/abc123.execute-api.eu-west-1.amazonaws.com\/prod)<\/span><\/li>\n
                        2. The client asks the on-premises DNS server to resolve this (abc123.execute-api.eu-west-1.amazonaws.com).<\/span><\/li>\n
                        3. You must configure the on-premises DNS server to forward DNS queries for the AWS-hosted domains to the IP addresses of the inbound resolver endpoint.\u00a0<\/span><\/li>\n
                        4. After the client successfully resolves the API Gateway private DNS name, it receives the private IP address of the VPC Endpoint of the API Gateway.<\/span><\/li>\n<\/ol>\n

                          \u00a0\u00a0\u00a0<\/b>\u00a0Prerequisites:<\/b><\/p>\n

                            \n
                          1. Site-to-Site VPN connection should be established between the DC and AWS environment, and tunnels should be up.<\/span><\/li>\n
                          2. Source IPs should be allowed at Static routes in VPN, Route tables associated with VPC, and at WAF if WAF is used.<\/span><\/li>\n
                          3. VPC Endpoint is created to access and invoke API service<\/span><\/li>\n<\/ol>\n

                            Conclusion\u00a0<\/strong><\/p>\n

                            This blog demonstrates how to connect AWS API Gateway from a Non-AWS env like On-Premise\/DC or from Azure using VPC endpoints on a private network with all the security measures at different security layers. The benefits of using the API Gateway on a private network are that it reduces the attack surface and decreases the network latency.<\/span><\/p>\n

                            <\/div>","protected":false},"excerpt":{"rendered":"

                            \u00a0What is API Gateway An API gateway is an API management tool between a client and a collection of backend services. An API gateway acts as a reverse proxy to accept all application programming interface (API) calls, aggregate the services required to fulfill them, and return the appropriate result. Problem Statement How to access a […]<\/p>\n","protected":false},"author":1575,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":73},"categories":[4682],"tags":[5180,5181,5183,5182],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57086"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1575"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=57086"}],"version-history":[{"count":4,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57086\/revisions"}],"predecessor-version":[{"id":57199,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/57086\/revisions\/57199"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=57086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=57086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=57086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}