Private APIs provide a secure method to invoke APIs via an VPC endpoint. API Gateway private integration makes it easier to expose your HTTP/HTTPS resources. Applications can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.
This tutorial will use the NetFoundry Platform to create network fabric to access a private example API in AWS.
1. AWS Account
2. AWS CLI installed on your system and connected to your AWS Account.
2. NetFoundry Teams Account
1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.
2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption.
The guide has the details.
Step 1. Build the Network using our Getting started Guide.
Step 2. Create endpoint identity in NetFoundry. (remote user identity)
To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.
Download the resulting "endpoint_name.jwt". Follow directions for desired OS below:
Step 3. Create NetFoundry Edge Router and deploy NetFoundry Edge Router resource in AWS.
Follow the steps outlined here (with video)
Step 4. Deploy Private endpoint into VPC.
From the VPC menu, select Endpoints from the menu and select Create Endpoint. Select Name, AWS Service and choose the api service: com.amazonaws.us-west-1.execute-api
Then select desired VPC, subnets, security group (if any) and finally Full Access for this example.
Depending on your VPC DNS settings, you may have disable DNS name from the VPC Additional Setting dialogue box.
Record your VPC Endpoint ID: vpce-0c09e538f94bbab3c (sample)
Step 5. Create API and associated URI for testing.
From the API Gateway Menu, select
Then Select Rest API and hit build
Choose Rest and Example API and Private and Import
Once your API is built, you will need to apply a Resource Policy, here is a sample open policy for your testing. Select Resource Policy on the left and paste the following into the code box then hit save.
Now lets deploy your API from the API menu
Record this URL, it will be joined with you Private Link to be accessed privately over the NetFoundry network.
You must connect the API Gateway to the VPCE resource with the following command:
aws apigateway update-rest-api \
--rest-api-id 'your api id' \
--patch-operations "op='add',path='/endpointConfiguration/vpcEndpointIds',value='vpce-your vpce id'" \
NOTE: Deploy API once again.
Step 6. Create NetFoundry service and AppWAN
You must form your Private Endpoint API URI by inserting the VPCE ID between the API ID and the rest of your URL.
From the NetFoundry console select the services dialogue box and hit Add.
Insert your base URL into the Intercept Host Name field with port 443
Select Endpoint Hosted and select the router you installed in your VPC in Step 3 above. Enter the URL and port into the Host Configuration box and hit create.
Select AppWAN from the Network Dashboard and hit the Blue + in the upper right corner.
From the Services Attribute box , click and select the service from the step above.
From the Endpoint Attribute box, click and select the endpoint created in Step 2 above.
Step 5. Connect to API with NetFoundry platform.
From your Browser
From CLI (example, set your URL specifics)
curl -X GET "https://fwbr4gyzb1-vpce-07ffdf4bd13f06bd8.execute-api.us-west-2.amazonaws.com/demo" -H "accept: application/json"