Alibaba Cloud Virtual Private Cloud (VPC) helps you establish an isolated network environment and customize the IP address range, network segment, route table, and gateway. In addition, you can implement interconnection between VPC and traditional IDC through a leased line, VPN, or GRE to build hybrid cloud services.
The API gateway also supports open APIs for your service deployed in a VPC instance. Before reading this document, make sure that you have understood how to use VPC.
If your backend service works in a VPC instance, you must authorize the API gateway to open corresponding APIs. The process of creating an API is as follows:
In a VPC environment, you must authorize the API gateway so that it can access the service in your VPC. During authorization, you must specify the resource and port which the API gateway can access, such as port 443 of Server Load Balancer and port 80 of ECS.
- After the authorization succeeds, the API gateway accesses resources in the VPC instance through the intranet.
- This authorization is only used for the API gateway to access corresponding backend resources.
- The API gateway cannot access unauthorized resources or ports.
For example, if only port 80 of Server Load Balancer 1 in VPC 1 is authorized to the API gateway, the API gateway can only access this port.
(1) Buy Server Load Balancer and ECS instances in the VPC environment and build the service. For more information, see VPC user manual.
(2) Query the VPC information. Prepare the following VPC information:
- VPC ID: Indicates the ID of the VPC where your backend service is located.
- Instance ID: Indicates the ID of the instance of your backend service. The instance can be an ECS instance or a Server Load Balancer instance. If a Server Load Balancer instance is used, enter its instance ID.
- Port number: Indicates the number of the port that calls your backend service.
Click API Gateway Console > Open API > Authorize VPC, and then click Create Authorization.
Go to the authorization page and enter corresponding information.
- VPC name: Indicates the name of the authorization, which is used to select the backend address when an API is created. Make sure that this name is unique to facilitate further management.
Click OK to complete the authorization.
Repeat the preceding steps if you have multiple VPC instances or need to authorize multiple instances and ports.
The process for creating an API is the same as that for creating other APIs. For more information, see Create an API.
When selecting the backend service address:
- VPC channel: Set this parameter to Use VPC channel.
- VPC authorization: Select the created authorization as required.
Configuration of other parameters for the API is consistent with that for other APIs.
Save the configuration. The API creation is complete.
Optional: You can skip this step if you use Server Load Balancer at the backend and have not modified the ECS security group authorization policy.
If ECS serves as the backend service of your API and you have modified the intranet inbound access policy of the security group, you must add an access policy to enable access of the following IP segments (configure the IP segments based on the region where the service is located).
|China East 1(Hangzhou)||Intranet inbound||100.104.13.0/24|
|China North 2(Beijing)||Intranet inbound||100.104.106.0/24|
|China South 1(Shenzhen)||Intranet inbound||100.104.8.0/24|
|China East 2(Shanghai)||Intranet inbound||100.104.8.0/24|
|Hong Kong||Intranet inbound||100.104.175.0/24|
|Asia Pacific SE 1 (Singapore)||Intranet inbound||100.104.175.0/24|
|EU Central 1(Frankfurt)||Intranet inbound||100.104.72.0/24|
|Asia Pacific SE 3 (Kuala Lumpur)||Intranet inbound||100.104.112.0/24|
|Asia Pacific SOU 1 (Mumbai)||Intranet inbound||100.104.233.0/24|
|Asia Pacific SE 5 (Jakarta)||Intranet inbound||100.104.72.0/24|
|Asia Pacific NE 1 (Tokyo)||Intranet inbound||100.104.188.0/24|
|Asia Pacific SE 2 (Sydney)||Intranet inbound||100.104.143.192/26|
You can test your API using the following methods:
If the authorized resource or port does not provide services, delete the corresponding authorization.
No. This function is free of charge and no extra cost is required.
Yes. You can add multiple authorizations if your backend service works in multiple VPC instances.
Make sure that the VPC ID, instance ID, and port number are correct and that the authorization policy and VPC are within the same region.
If you authorize the API gateway to access your VPC, the network between the gateway and VPC is connected. Security restrictions are implemented, and VPC security issues will not occur.
- Security control authorization: Only the owner of the VPC can perform authorization.
- Exclusive channel between the API gateway and VPC after authorization: Other persons cannot use this channel.
- Authorization for the port of a certain resource: The gateway does not have the permission to access other ports or resources.