All Products
Search
Document Center

Use a resource in a VPC as the backend service of an API operation

Last Updated: Sep 16, 2020

This topic describes how to create a high-availability backend service. Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances in a Virtual Private Cloud (VPC) can be used as backend services of API operations.

Overview

Alibaba Cloud VPC allows you to build an isolated network and customize IP address ranges, CIDR blocks, route tables, and gateways for the network. API Gateway allows you to create API operations for resources that are deployed in VPCs. To use a resource in a VPC as the backend service of an API operation, you must first authorize API Gateway to access the resource.

1. Authorize API Gateway to access resources in a VPC

To create an API operation for a resource that is deployed in a VPC, you must first authorize API Gateway to access the resource. To authorize API Gateway to a resource, you must specify the resource and an access port, such as port 443 of an SLB instance or port 80 of an ECS instance.

  • After authorization, API Gateway can access the resource in the VPC over the specified port.

  • The authorization only allows API Gateway to access the resources in the VPC to call API operations.

  • API Gateway can access only resources that it has permissions to access over an authorized port. For example, if you authorize API Gateway to use only port 80 of an SLB instance in a VPC, API Gateway can access this SLB instance only over port 80.

ECS instances and SLB instances in VPCs can be used as backend services of API operations.

  • ECS instance: When you create VPC access authorization, enter the ID or private IP address of the ECS instance in the Instance Id Or IP field in the Create VPC Access dialog box.

  • SLB instance: Only internal SLB instances are supported. When you create VPC access authorization, enter the ID or private IP address of the SLB instance in the Instance Id Or IP field in the Create VPC Access dialog box.

2. Build an HA architecture

To build an HA architecture, we recommend that you use an internal SLB instance as the backend service of an API operation. The SLB instance can be used to distribute access traffic to multiple ECS instances based on the forwarding policy. This improves the overall system performance and availability of applications.

1

2.1 Create instances in a VPC

Purchase and create SLB and ECS instances in a VPC. In this example, the SLB instance listens to port 80 of ECS instances, and the ECS instances are deployed in NGINX.

The following figure shows the details of the internal SLB instance.

1

2.2 Authorize API Gateway to access the VPC

Log on to the API Gateway console. In the left-side navigation pane, choose Publish APIs > VPC Access. On the VPC Access List page, click Create VPC Access. In the Create VPC Access dialog box, configure the required parameters.

VPC Access Name: the name of the current authorization entry. You need to select this name when you configure an API operation. To facilitate subsequent management, make sure that the name is unique in API Gateway.

1

2.3 Create an API operation

The procedure for creating an API operation with a service in a VPC as the backend service is the same as that for creating an API operation with HTTP or Function Compute as the backend service. For more information, see Create an API operation.

For more information about application creation and authorization, see Create an API operation with a service in a VPC as the backend service.

2.4 Test the API operation

You can test the API operation by using one of the following methods:

2.5 Security

API Gateway calls backend services in a VPC over an internal network. If you require higher security or your internal SLB instance has a blacklist and whitelist, you must add outbound IP addresses of API Gateway to the whitelist. For more information about SLB blacklist and whitelist settings, see Enable access control.

If you have configured a security group for ECS instances, you must add a security group rule to allow the outbound IP addresses of API Gateway. For information about how to add security group rules for ECS instances, see Add security group rules.

For information about how to obtain the outbound IP addresses of API Gateway, see Create an API operation with a resource in a VPC as the backend service.

FAQ

1. Does API Gateway support public SLB instances?

No, API Gateway supports only internal SLB instances when it calls SLB instances over an internal network. If API Gateway needs to call SLB instances over the Internet, you can create an API operation with HTTP or HTTPS as the backend service.

2. Can I authorize API Gateway to access multiple VPCs?

Yes. If you need to use multiple resources that are deployed in multiple VPCs as backend services, you can create multiple authorization entries in the API Gateway console to authorize API Gateway to access these VPCs.

3. Why am I unable to authorize API Gateway to access a VPC?

If you are unable to authorize API Gateway to access a VPC, check whether the ID of the VPC, the ID of the instance on which the backend service is deployed, and the port number that you entered are correct. Make sure that the authorization entry is created in the region where the VPC resides.

4. Is the security of my VPC affected after I authorize API Gateway to access my VPC?

No, the security of your VPC is not affected.

  • API Gateway can call resources in your VPC only after you authorize it to access your VPC.

  • Only the API operation that you authorized can call the resources in your VPC.

  • You can configure access control policies for ECS and SLB instances that are used as backend services.

5. Does API Gateway support VPCs in different regions?

Yes. You can use Cloud Enterprise Network (CEN) to allow API Gateway to access VPCs in different regions.