AWS-从公共API网关到VPC内部lambda的路由 [英] AWS - Route from public API Gateway to in-VPC lambda

问题描述

问题

从面向公众的AWS网络中的API网关到流量通过的VPC子网中的Lambda函数?

背景

当lambda不在VPC中(在AWS面向公众的网络中)时，流量通过Internet.但是不确定lambda何时在VPC中.

我从AWS控制台在VPC中创建了一个lambda函数，并确认API网关(在VPC中为NOT)可以进入VPC中的lambda.

由于lambda位于VPC的子网中，因此它没有公共IP，因此它不应通过Internet.但是，如

Terraform

Terraform

更新

根据

Question

From the API Gateway in the public facing AWS network to the Lambda function in a VPC subnet, where the traffice goes through?

Introducing Amazon API Gateway Private Endpoints

With this launch, you could build API-based services that did not require a publicly available endpoint. They could still interact with private services, such as databases, inside your VPC.

Background

When the lambda is not in VPC (in the AWS public facing network), the traffic goes through the Internet. But not sure when the lambda is in VPC.

From the AWS console, I created a lambda function in a VPC and confirmed the API Gateway (NOT in VPC) can tak to the lambda in VPC.

Since the lambda is in a subnet in VPC, it does not have public IP, then it should not go through the Internet. However, there is no VPC private link which is used to connect from API Gateway to NLB in a VPC as explained in API Gateway Private Integration.

Hence I have no idea where the traffic is going through.

Terraform

Terraform aws_api_gateway_integration resource, connection_type says:

(Optional) The integration input's connectionType. Valid values are INTERNET (default for connections through the public routable internet), and VPC_LINK (for private connections between API Gateway and a network load balancer in a VPC).

Hence, it looks it may go through the Internet as the connection_type default is INTERNET, and VPC_LINK is currently for API Gateway Private Integration with NLB.

# Variables
variable "myregion" {
  default = "us-east-2"
}

variable "accountId" {

  default = var.account_id
}

# API Gateway
resource "aws_api_gateway_rest_api" "api" {
  name = "api-lambda-vpc-test"
}

resource "aws_api_gateway_resource" "resource" {
  path_part   = "resource"
  parent_id   = "${aws_api_gateway_rest_api.api.root_resource_id}"
  rest_api_id = "${aws_api_gateway_rest_api.api.id}"
}

resource "aws_api_gateway_method" "method" {
  rest_api_id   = "${aws_api_gateway_rest_api.api.id}"
  resource_id   = "${aws_api_gateway_resource.resource.id}"
  http_method   = "GET"
  authorization = "NONE"
}

resource "aws_api_gateway_integration" "integration" {
  rest_api_id             = "${aws_api_gateway_rest_api.api.id}"
  resource_id             = "${aws_api_gateway_resource.resource.id}"
  http_method             = "${aws_api_gateway_method.method.http_method}"
  integration_http_method = "POST"
  type                    = "AWS_PROXY"
  uri                     = "${aws_lambda_function.lambda.invoke_arn}"
}

# Lambda
resource "aws_lambda_permission" "apigw_lambda" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.lambda.function_name}"
  principal     = "apigateway.amazonaws.com"

  # More: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
  source_arn = "arn:aws:execute-api:${var.myregion}:${var.accountId}:${aws_api_gateway_rest_api.api.id}/*/${aws_api_gateway_method.method.http_method}${aws_api_gateway_resource.resource.path}"
}

resource "aws_lambda_function" "lambda" {
  filename      = "lambda.zip"
  function_name = "mylambda"
  role          = "${aws_iam_role.role.arn}"
  handler       = "lambda.lambda_handler"
  runtime       = "python3.6"

  vpc_config {
    security_group_ids = var.sg_ids
    subnet_ids         = var.subnet_ids
  }
  # The filebase64sha256() function is available in Terraform 0.11.12 and later
  # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
  # source_code_hash = "${base64sha256(file("lambda.zip"))}"
  source_code_hash = "${filebase64sha256("lambda.zip")}"
}

# IAM
resource "aws_iam_role" "role" {
  name = "myrole"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}
data "aws_iam_policy" "admin" {
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_role_policy_attachment" "admin" {
  role       = "${aws_iam_role.role.id}"
  policy_arn = "${data.aws_iam_policy.admin.arn}"
}

解决方案

As answerd by @Marcin, it goes through the AWS internal network.

Current my understanding of API Gateway integrations (please correct me if wrong).

Hope others will not have to go through the same efforts to figure them out.

Update

As per How API Gateway talk to Firehose VPC endpoint, current understanding is API gateway talk to AWS services, that are not in VPC, internally in the AWS network, not via the Internet.

这篇关于AWS-从公共API网关到VPC内部lambda的路由的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！