API网关如何与Firehose VPC端点通信 [英] How API Gateway talk to Firehose VPC endpoint
问题描述
带有 DynamoDB
和 EC2
的示例与接口VPC端点(AWS PrivateLink)和网关私有集成.
在开始之前,需要提到的是,有三种API端点不会甚至可以连接到区域
或 edge-optimized
API网关在公共子网中.当接口出现以下情况时,只能从VPC内部访问 private
API网关存在.
网关私有集成
这允许您的公共(即区域
或 edge-optimized
)API网关访问私有子网中的私有EC2实例.这是通过在连接到 VPC链接
的VPC中创建(例如内部) NLB
来完成的.让您将其与API网关中的API方法相关联.
VPC链接
在方法级别起作用,因此您的公共API可以有一种方法(例如/private)用于通过 VPCLink
和第二种方法(例如/kinesis)访问私有EC2实例使用AWS集成照常访问运动学.
访问私有EC2实例如下:
API网关(/私有方法)-> VPCLink-> NLB->私有EC2实例.
访问Kinesis:
API网关(/kinesis)-> Kinesis(通过AWS集成)
您还可以让您的私有EC2实例与Kinesis通信.在这种情况下,您需要如果不使用 NAT网关
:
API网关(/专用)-> VPCLink-> NLB->专用EC2实例-> Kinesis的接口VPC端点-> Kinesis(AWS集成)
希望这阐明了API网关和Kinesis如何相互作用.
p.s.AWS约定以类似的方式命名不同的事物会引起很多麻烦.
Using Amazon Kinesis Data Firehose with AWS PrivateLink tells Firehose VPC endpoint keeps the traffic between VPC and Firehose within AWS.
You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Kinesis Data Firehose from leaving the Amazon network.
When API Gateway invokes PutRecord API of Firehose via the AWS integration, does the traffic goes through the Firehose VPC endpoint or goes to the Internet?
Updates
The Introducing Amazon API Gateway Private Endpoints shows the diagram where EC2 and Lambda are in VPC. "All publicly available endpoints" go to the Internet and not sure of if API Gateway recognize if Firehose private endpoint exists or not and route the traffic there.
The example with DynamoDB
and EC2
is about Gateway VPC Endpoints.
For API Gateway
, there is no Gateway VPC Endpoint.
Instead there are Interface VPC Endpoints (AWS PrivateLink)
and Gateway private integrations.
Before I begin, it needs to be mentioned that there are three API Endpoint types Choice of the API Gateway endpoint type has important consequences when working with VPC.
Interface VPC Endpoint for API Gateway
It allows e.g. EC2 instance in private and public subnets to access your API Gateway using AWS internal network,
without going over Interent. For this to work the API Gateway endpoint must be configured as private
.
In this case API Gateway works with kinesis as usual. No need to do anything except to setup AWS integration for it.
For instance, a private EC2 instance (in private subnet) will be able to access the private
API Gateway endpoint
through the interface VPC endpoint, and subsequently access the Kinesis:
Private EC2 instance -> Interface VPC Endpoint for API Gateway -> API Gateway (private) -> Kinesis
Important thing to know here is that once you create Interface VPC Endpoint for API Gateway in
your VPC, you will not
be able to connect to a regional
or edge-optimized
API gateway, even
in a public subnet. Only private
API gateway will be accessible from inside VPC when the interface
is present.
Gateway private integration
This allows your public (i.e. regional
or edge-optimized
) API Gateway to access a private EC2 instance in a private subnet.
This is done by creating (e.g. internal) NLB
in your VPC which you connect to a VPC Link
which in
turn you associate with an API method in the API Gateway.
VPC Link
works at method level, thus your public API can have one method (e.g. /private) to
access private EC2 instance through the VPCLink
, and second method (e.g. /kinesis)
to access kinesis as usual using AWS integration.
Accessing private EC2 instance looks as follows:
API Gateway (/private method) -> VPCLink -> NLB -> private EC2 instance.
Accessing Kinesis:
API Gateway (/kinesis) -> Kinesis (through AWS integration)
You can also have your private EC2 instance communicate with Kinesis. In this case you need
VPC Interface Endpoint for Kinesis if you are not using NAT gateway
:
API Gateway (/private) -> VPCLink -> NLB -> private EC2 instance -> Interface VPC Endpoint for Kinesis -> Kinesis (AWS integration)
Hope this clarifies how API Gateway and Kinesis can interact.
p.s. AWS conventions by naming different things in a similar way causes a lot of headache.
这篇关于API网关如何与Firehose VPC端点通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!