All Products
Search
Document Center

API Gateway:Use a resource in a VPC as the backend service of an API

Last Updated:Mar 05, 2024

This topic describes how to create a high-availability (HA) backend service. Elastic Compute Service (ECS) instances and Classic Load Balancer (CLB) instances in a virtual private cloud (VPC) can both be used as backend services of APIs.

Overview

Alibaba Cloud VPC allows you to build isolated networks based on custom IP addresses, CIDR blocks, route tables, and gateways. API Gateway allows you to create APIs for resources deployed in VPCs. To use a resource in a VPC as the backend service of an API, you must first authorize API Gateway to access the resource.

1. Authorize API Gateway to access resources in a VPC

To create an API by using a resource in a VPC, you must first authorize API Gateway to access the resource. To authorize API Gateway to access a resource, you must specify the resource and an access port, such as port 443 of a CLB instance or port 80 of an ECS instance.

  • After authorization, API Gateway can access the resource in the VPC over the specified port.

  • The authorization only allows API Gateway to access the resource in the VPC to call the API.

  • API Gateway can access only the resource that it is authorized to access over an authorized port. For example, if you authorize API Gateway to access a resource only over port 80 of a CLB instance in a VPC, API Gateway can access the resource only over port 80 of the CLB instance in the VPC.

ECS instances and CLB instances in VPCs can be used as backend services of APIs.

  • ECS instance: When you create a VPC access authorization, enter the ID or private IP address of the ECS instance in the Instance ID or IP Address field in the Create VPC Access dialog box.

  • CLB instance: Only internal CLB instances are supported. When you create a VPC access authorization, enter the ID or private IP address of the CLB instance in the Instance ID or IP Address field in the Create VPC Access dialog box.

2. Build an HA architecture

To build an HA architecture, we recommend that you use an internal CLB instance as the backend service of an API. The CLB instance can be used to distribute access traffic to multiple ECS instances based on the forwarding policy. This improves the overall system performance and availability of applications.

2.1 Create instances in a VPC

Purchase and create CLB and ECS instances in a VPC. In this example, the CLB instance listens to port 80 of ECS instances, and Nginx is deployed on the ECS instances. Take note that an internal CLB instance must be used.

2.2 Authorize API Gateway to access the VPC

Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > VPCs. On the VPC Access Authorizations page, click Create Authorization. In the Create VPC Access dialog box, configure the VPC Access Name, VPC Id, Instance ID or IP Address, and Port Number parameters. If you want to specify a domain name to access a site (vhost) on the CLB or ECS instance, you can configure the domain name in the Host field.

Note

VPC Access Name: the name of the current authorization entry. You need to select this authorization when you create an API. To facilitate subsequent management, make sure that the name is unique in API Gateway.

2.3 Create an API

The procedure for creating an API with a backend service of the VPC type is the same as that for creating an API with a backend service of other types. For more information, see Create an API.

For more information about how to create and authorize an application, see Create an API with a service in a VPC as the backend service.

2.4 Test the API

You can test the API by using one of the following methods:

2.5 Security

API Gateway calls backend services in a VPC over an internal network. If you require higher security or your internal CLB instance has a blacklist and whitelist configured, you must allow traffic for the egress IP addresses of API Gateway. For more information about blacklist and whitelist settings of CLB instances, see the Enable access control topic of CLB documentation.

If you have configured a security group for ECS instances, you must add a security group rule to allow traffic for the egress IP addresses of API Gateway. For information about how to add security group rules for ECS instances, see Add a security group rule.

For information about how to obtain the egress IP addresses of API Gateway, see Create an API with a resource in a VPC as the backend service.

FAQ

1. Does API Gateway support public CLB instances?

No, API Gateway supports only internal CLB instances for APIs that use a backend service of the VPC type. If you want to access CLB instances over the Internet, you can create APIs that use backend services of the HTTP/HTTPS type.

2. Can I authorize API Gateway to access multiple VPCs?

Yes. If you need to use multiple resources that are deployed in multiple VPCs as backend services of APIs, you can create multiple authorization entries in the API Gateway console to authorize API Gateway to access these VPCs.

3. Why am I unable to authorize API Gateway to access a VPC?

If you are unable to authorize API Gateway to access a VPC, check whether the ID of the VPC, the ID of the instance on which the backend service is deployed, and the port number that you entered are correct. Make sure that the authorization entry is created in the region where the VPC resides.

4. Does a VPC access authorization affect the security of my VPC?

  • No, the security of your VPC is not affected. API Gateway calls resources in your VPC only after you authorize it to access your VPC.

  • In addition, only the authorized API Gateway instance can call the resources.

  • You can configure access control policies for ECS and CLB instances that are used as backend services.

5. Does API Gateway support VPCs in different regions?

Yes, you can use Cloud Enterprise Network (CEN) to allow API Gateway to access VPCs in other regions. For more information about how to configure CEN, see What is CEN?