https://serverless-stack.com/ logo
Join Slack
Powered by
Hello all!  I am trying to build a private REST AP...
# sst
s
Hello all!  I am trying to build a private REST API using SST that will live inside a VPC.  I am quite comfortable using SST to create public facing API's, but making a private API is new to me.
I've read AWS's whitepaper on Best Practices for Designing API Gateway Private APIs, which states  "...for customers who need to access an API in a private network, a private REST API is the preferred choice".  It seems like I need to use the ApiGatewayV1Api construct along with a resource-based policy to specify who has access.  Other than that, I'm scratching my head on how to get this spun up with SST.  Any pointers to get me moving in the right direction?
For context, I'm trying to introduce an SST developed service within an existing microservice architecture. The VPC already exists, so I don't need to go about setting that up. I also have a VPN set up in my dev environment.
what I have so far
Copy code
import * as sst from "@serverless-stack/resources";
import { EndpointType } from "@aws-cdk/aws-apigateway";
//import * as ec2 from "@aws-cdk/aws-ec2";

export default class MyStack extends sst.Stack {
  constructor(scope, id, props) {
    super(scope, id, props);

    // Import VPC - WTF do I do with this?
    // const existingVpc = ec2.Vpc.fromLookup(this, 'VPC', {
    //   vpcName: `cc-non-prod-vpc`,
    // });

    // Create a REST API
    const api = new sst.ApiGatewayV1Api(this, "Api", {
      routes: {
        "GET /": "src/lambda.handler",
      },
      restApi: {
        endpointConfiguration: {
          types: [EndpointType.PRIVATE],
        },
      },
    });

    // Show the endpoint in the output
    this.addOutputs({
      "ApiEndpoint": api.url,
    });
  }
}
s
I did something similar for test project (VPC, VPN, IAM secured endpoints inside VPC using REST API) maybe it helps: https://github.com/stokilo/cloud-spider-public/blob/master/lib/ApiAndAuthStack.ts
s
Thank you for sharing, I'll take a look 🙂
I'm trying to understand how you've defined a resource policy for the API (a requirement for this setup, as I understand). Is that what you're doing here?
Copy code
api.attachPermissions([
      new iam.PolicyStatement({
        actions: ['es:*',
          'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface',
          'ec2:DescribeSecurityGroups', 'ec2:DescribeSubnets', 'ec2:DescribeVpcs'],
        effect: iam.Effect.ALLOW,
        resources: [
          '*'
        ]
      })
    ])
s
I did something else there, I deployed lambda in the ISOLATED subnet and set authorization type for admin resources to IAM type. In order to call them it is required to sign the request with IAM user credentials and use VPN connection to execute it. I think this is not exactly what you need.
but from there you can start changing REST API and change it from edge to private
to add resource policy you could change it like
in result you get:
but if I understand you requirements correctly you will need VpcLink: https://aws.amazon.com/blogs/compute/understanding-vpc-links-in-amazon-api-gateway-private-integrations/
s
I think you're correct re: VpcLink. I'll need to dive deeper
This seems...complicated 😆
s
yes 🙂
s
whenever I can't find an example of something I think is common (e.g. setting up a private REST api on a VPC using CDK), I start to wonder if I'm doing it wrong 🤔
s
I didn’t test it but shouldn’t it be possible like that?
Copy code
const api = new sst.ApiGatewayV1Api(this, 'Api', {
  // ...
  restApi: {
    endpointConfiguration: {
        types: [EndpointType.PRIVATE], 
        vpcEndpoints: [endpointAPIGateway]
      }
    }
  },
here is CDK version of private API
s
OH wow, the serverless patterns post looks promising! I'll give this a try later today and report back! 🙏
Open in Slack
PreviousNext
Powered by