ELB和ECS集群前面的Amazon API Gateway [英] Amazon API Gateway in front of ELB and ECS Cluster
问题描述
我正在尝试将Amazon API Gateway放在Application Load Balancer的前面,该负载均衡器平衡到我的ECS集群的流量,在该集群中我所有的微服务都已部署到该集群.使用API网关的动机是通过lambda函数使用自定义授权者.
I'm trying to put an Amazon API Gateway in front of an Application Load Balancer, which balances traffic to my ECS Cluster, where all my microservices are deployed. The motivation to use the API Gateway is to use a custom authorizer through a lambda function.
系统图
以亚马逊字词( https://aws.amazon.com/api-gateway/faqs/):"对后端操作的代理请求也需要在Internet上公开访问".这迫使我将ELB公开(面向Internet)而不是内部公开.然后,我需要一种方法来确保仅 API网关能够访问VPC之外的ELB.
In Amazon words (https://aws.amazon.com/api-gateway/faqs/): "Proxy requests to backend operations also need to be publicly accessible on the Internet". This forces me to make the ELB public (internet-facing) instead of internal. Then, I need a way to ensure that only the API Gateway is able to access the ELB outside the VPC.
我的第一个想法是在API Gatway中使用客户端证书,但ELB似乎不支持它.
My first idea was to use a Client Certificate in the API Gatway, but the ELB doesn't seem to support it.
任何想法都会受到高度赞赏!
Any ideas would be highly appreciated!
推荐答案
考虑到推送方式,这似乎是API网关技术的一个巨大缺失.无法调用VPC中的面向内部的服务器严重限制了其作为Internet访问身份验证前门的用途.FWIW,在Azure中,API管理支持开箱即用-它可以接受来自Internet的请求并直接调用您的虚拟网络,否则将其防火墙隔离.在AWS下似乎唯一可行的方法是使用Lambda,这会增加相当大的一层复杂性,尤其是.如果您需要支持各种二进制协议.
This seems to be a huge missing piece for the API gateway technology, given the way it's pushed. Not being able to call into an internal-facing server in the VPC severely restricts its usefulness as an authentication front-door for internet access. FWIW, in Azure, API Management supports this out of the box - it can accept requests from the internet and call directly into your virtual network which is otherwise firewalled off. The only way this seems to be possible under AWS is using Lambdas, which adds a significant layer of complexity, esp. if you need to support various binary protocols.
这篇关于ELB和ECS集群前面的Amazon API Gateway的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
