All Products
Search

This Product

    API Gateway:VPC integration instances

    Document Center

    API Gateway:VPC integration instances

    Last Updated:Nov 28, 2023

    This topic introduces a new dedicated instance type, the virtual private cloud (VPC) integration instance. This topic also describes the application scenarios of the new dedicated instance type and how to purchase and use a dedicated instance of this type.

    Scenario

    API Gateway provides the VPC integration instance to facilitate the communication with your VPC. The instance is suitable for the following scenarios:

    • API Gateway needs to access multiple resources, such as Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances, in the same VPC. These resources are the backend services of an API hosted on API Gateway. Typical scenarios include microservices and service discovery, such as Nacos.

    • Hybrid cloud network communication is used. In this case, a backend service accepts only the private IP addresses of Alibaba Cloud VPCs in the requests forwarded by API Gateway instances. For more information, see the Scenario 3: Access a backend service deployed in an on-premises data center from an ECS instance deployed on Alibaba Cloud section of the "Centralized API management on a hybrid cloud" topic.

      image.png

    Differences between a VPC integration instance and a conventional dedicated instance

    The following table lists their benefits and shortcomings.

    VPC integration instance

    Conventional dedicated instance

    Egress IP address of the instance*

    A private IP address of an Alibaba Cloud VPC. This VPC is selected when you create the instance.

    100.*.*.*.

    Forwarding API requests to multiple resources in the same VPC

    Supported. Example: service registration and discovery.

    Supported. However, you must configure a VPC access authorization for each of the resources.** Dynamic configuration is not supported.

    Forwarding API requests to resources in different VPCs

    Not supported. You must interconnect these VPCs on your own.

    Supported. You can separately configure access authorizations for these VPCs.

    Configuration process

    Specify the VPC to which API Gateway connects when you purchase the instance. You do not need to configure VPCs when you create APIs.

    You need to configure VPC access authorizations.

    Note:

    *: The egress IP address of an API Gateway instance is the source IP address that the backend service obtains from the API request forwarded by the instance in a TCP connection.

    **: Conventionally, an API Gateway instance can access a resource in a VPC only after the instance is authorized to access the VPC. For more information, see Use a resource in a VPC as the backend service of an API operation.

    How to purchase

    The following figure shows the buy page of an API Gateway dedicated instance. After you select VPC integration instance as the instance type, you can configure the instance to be created.

    image..png

    The following items are required:

    1. The user VPC ID. You must specify the ID of the VPC to which you want API Gateway to connect. You cannot change the ID after the instance is created.

    2. The CIDR block into which the instance falls. API Gateway checks whether the CIDR block is in conflict with the CIDR block of the vSwitch that you specified, in which case the instance does not work as expected.

    3. The zone and security group. API Gateway creates elastic network interface (ENI) resources in the vSwitch and security group in the zone that you specified. Then, API Gateway binds the ENI resources to the instance to be created. Therefore, you must make sure that the resources in your VPC belong to the same security group and belong to the CIDR block that corresponds to the specified vSwitch. In addition, outbound traffic must be allowed from the egress IP addresses by the security group. Otherwise, the instance cannot access backend services.

    4. The service-linked role. API Gateway uses the service-linked role to perform operations on the ENI resources in your VPC. For more information about the service-linked role, see AliyunServiceRoleForApiGatewayConnectUserVpc.

    Note

    Note

    1. ENI resources are subject to the security rules and network configurations, such as the security group settings, of the VPC to which they belong.

      1. If your backend service and ENI resources belong to ECS instances of the same security group and intra-group communication is enabled in the security group, you do not need to separately configure a security group for outbound communication.

      2. If your backend service is deployed on a Classic Load Balancer (CLB) instance, you must ensure that outbound traffic over the configured CIDR block is allowed by the security group, regardless of whether the same vSwitch is used.

    2. The ENI resources that are created by API Gateway in your VPC do not incur extra fees.

    How to use

    Add a CIDR block that can be accessed by the VPC integration instance

    By default, the VPC integration instance can access only the resources that reside in the CIDR block corresponding to the vSwitch specified when you created the instance. You can view the CIDR block and the resources in it on the instance details page in the API Gateway console. If you want the instance to access resources that reside in other CIDR blocks, you can add these CIDR blocks on your own. Procedure:

    1. Log on to the API Gateway console. In the left-side navigation pane, click Instances.

    2. Find the VPC integration instance that you want to manage and click Add in the Access Allowed From section.

    3. Add a CIDR block based on your business requirements. You can select a CIDR block from the drop-down list or manually specify a CIDR block.

      Note

      If you choose to manually specify a CIDR block, make sure that the CIDR block resides in or is connected to your VPC.

    Compatibility with VPC access authorizations

    Use a VPC access authorization as a backend service

    The VPC integration instance allows you to use a VPC access authorization as the backend service for an API. The instance uses the ENI resources that are created in your VPC when you create the instance to directly access the backend service in the VPC access authorization.

    When you create an API or plug-in on the VPC integration instance, make sure that:

    1. The VPC ID in the VPC access authorization is the same as the ID of the VPC that is connected to the instance.

    2. The private IP address of the backend service in the VPC access authorization falls into the CIDR block that can be accessed by the VPC integration instance.

      Note

      If errors such as "instance cannot connect the backend xxx.xxx.xxx.xxx." are reported when you publish an API or modify a plug-in, check whether the IP address mentioned in the error falls into the CIDR block that can be accessed by the VPC integration instance.

    Migrate an API group to a VPC integration instance

    API Gateway allows you to change the instance to which an API group belongs. This way, you can conveniently migrate the group to a VPC integration instance.

    1. Log on to the API Gateway console. In the left-side navigation pane, choose Open API > API Groups.

    2. Find the group that you want to migrate and click its name to go to the group details page.

    3. Click Modify Instance for API Group Deployment and select the VPC integration instance that you created.

    4. Wait for API Gateway to verify the VPC access authorizations used by the APIs and associated plug-ins in the group. If the verification is passed, the migration is successful. If the verification is not passed, the migration fails, and the cause is displayed.

      Important

      1. Before the migration, API Gateway verifies the following items for the backend services, APIs, and plug-ins that are associated with the VPC:

        1. Whether the VPC ID in the VPC access authorization is the same as the ID of the VPC that is connected to the VPC integration instance

        2. Whether the private IP address of the backend service in the VPC access authorization falls into the CIDR block that can be accessed by the VPC integration instance

      2. Before the migration, if your API group is associated with a VPC access authorization, make sure that the security group containing the corresponding ECS or SLB resources in the authorization is the same as the security group specified when you created the VPC integration instance.

      3. After the migration, the egress IP address changes to that of the VPC integration instance. If your backend service has a whitelist, you must add the egress IP address of the VPC integration instance to the whitelist before the migration. Otherwise, connectivity issues occur after the migration.