Set up an API Gateway API with private integrations using the Amazon CLI
The following tutorial shows how to use the Amazon CLI to create a VPC link and a private integration. The following prerequisites are required:
-
You need an Network Load Balancer created and configured with your VPC source as the target. For more information, see Set up a Network Load Balancer for API Gateway private integrations. This must be in the same Amazon Web Services account as your API. You need the Network Load Balancer ARN to create your VPC link.
-
To create and manage a
VpcLink
, you need the permissions to create aVpcLink
in your API. You don't need the permissions to use theVpcLink
. For more information, see Grant permissions for API Gateway to create a VPC link.
To set up an API with the private integration using Amazon CLI
-
The following create-vpc-link command creates a
VpcLink
targeting the specified Network Load Balancer.aws apigateway create-vpc-link \ --name my-test-vpc-link \ --target-arns arn:aws-cn:elasticloadbalancing:us-west-2:
123456789012
:loadbalancer/net/my-vpclink-test-nlb/1234567890abcdef
The output of this command acknowledges the receipt of the request and shows the
PENDING
status for theVpcLink
being created.{ "status": "PENDING", "targetArns": [ "arn:aws-cn:elasticloadbalancing:us-west-2:123456789012:loadbalancer/net/my-vpclink-test-nlb/1234567890abcdef" ], "id": "gim7c3", "name": "my-test-vpc-link" }
It takes 2-4 minutes for API Gateway to finish creating the
VpcLink
. When the operation finishes successfully, thestatus
isAVAILABLE
. You can verify this by calling the following get-vpc-link command:aws apigateway get-vpc-link --vpc-link-id
gim7c3
If the operation fails, you get a
FAILED
status, with thestatusMessage
containing the error message. For example, if you attempt to create aVpcLink
with a Network Load Balancer that is already associated with a VPC endpoint, you get the following on thestatusMessage
property:"NLB is already associated with another VPC Endpoint Service"
After the
VpcLink
is created successfully, you can create an API and integrate it with the VPC resource through theVpcLink
.Note the
id
value of the newly createdVpcLink
. In this example output, it'sgim7c3
. You need it to set up the private integration. -
The following create-rest-api command creates an API Gateway
RestApi
resource:aws apigateway create-rest-api --name 'My VPC Link Test'
Note the
RestApi
'sid
value and theRestApi
'srootResourceId
value in the returned result. You need this value to perform further operations on the API.For illustration purposes, we will create an API with only a
GET
method on the root resource (/
) and integrate the method with theVpcLink
. -
Set up the
GET /
method. Use the following put-method command and enter theId
as therest-api-id
and therootResourceId
as theresource-id
:aws apigateway put-method \ --rest-api-id
abcdef123
\ --resource-idskpp60rab7
\ --http-method GET \ --authorization-type "NONE"If you don't use the proxy integration with the
VpcLink
, you must also set up at least a method response of the200
status code. We will use the proxy integration here. -
After you create the
GET /
method, you set up the integration. For a private integration, you use theconnection-id
parameter to provide theVpcLink
ID. You can use either a stage variable or directly enter theVpcLink
ID. Theuri
parameter is not used for routing requests to your endpoint, but is used for setting theHost
header and for certificate validation.At any point, you can also update the integration to change the
connection-id
. The following update-integration command shows how to update your integration:aws apigateway update-integration \ --rest-api-id
abcdef123
\ --resource-idskpp60rab7
\ --http-method GET \ --patch-operations '[{"op":"replace","path":"/connectionId","value":"${stageVariables.vpcLinkId}"}]'Make sure to use a stringified JSON list as the
patch-operations
parameter value.Because we used the private proxy integration, your API is now ready for deployment and for test runs. With the non-proxy integration, you must also set up the method response and integration response, just as you would when setting up an API with HTTP custom integrations.
-
If you used the stage variable to define your
connection-id
, you need to deploy your API to test it. The following create-deployment command shows how to deploy your API with a stage variable:aws apigateway create-deployment \ --rest-api-id
abcdef123
\ --stage-name test \ --variables vpcLinkId=gim7c3
To update the stage variable with a different
VpcLink
ID, such as
, call the update-stage command:asf9d7
aws apigateway update-stage \ --rest-api-id
abcdef123
\ --stage-name test \ --patch-operations op=replace,path='/variables/vpcLinkId',value='asf9d7
'When you hardcode the
connection-id
property with theVpcLink
ID literal, you don't need to deploy your API to test it. Use the test-invoke-method command to test your API before it is deployed. -
Use the following command to invoke your API:
curl -X GET https://
abcdef123
.execute-api.us-west-2.amazonaws.com/testAlternatively, you can enter your API's invoke-URL in a web browser to view the result.