edit-icon download-icon

Apigateway_VPC

Last Updated: Jun 11, 2018

Alibaba Cloud Virtual Private Cloud (VPC) helps you establish an isolated network environment and customize the IP address range, network segment, route table, and gateway. In addition, you can implement interconnection between VPC and traditional IDC through a leased line, VPN, or GRE to build hybrid cloud services.

The API gateway also supports open APIs for your service deployed in a VPC instance. Before reading this document, make sure that you have understood how to use VPC.

If your backend service works in a VPC instance, you must authorize the API gateway to open corresponding APIs. The process of creating an API is as follows:

1

1 Authorize and bind a VPC instance

In a VPC environment, you must authorize the API gateway so that it can access the service in your VPC. During authorization, you must specify the resource and port which the API gateway can access, such as port 443 of Server Load Balancer and port 80 of ECS.

  • After the authorization succeeds, the API gateway accesses resources in the VPC instance through the intranet.
  • This authorization is only used for the API gateway to access corresponding backend resources.
  • The API gateway cannot access unauthorized resources or ports.

For example, if only port 80 of Server Load Balancer 1 in VPC 1 is authorized to the API gateway, the API gateway can only access this port.

2

1.1 Prepare for a VPC environment

(1) Buy Server Load Balancer and ECS instances in the VPC environment and build the service. For more information, see VPC user manual.

(2) Query the VPC information. Prepare the following VPC information:

  • VPC ID: Indicates the ID of the VPC where your backend service is located.
  • Instance ID: Indicates the ID of the instance of your backend service. The instance can be an ECS instance or a Server Load Balancer instance. If a Server Load Balancer instance is used, enter its instance ID.
  • Port number: Indicates the number of the port that calls your backend service.

1.2 Authorize the API gateway for access

Click API Gateway Console > Open API > Authorize VPC, and then click Create Authorization.

3

Go to the authorization page and enter corresponding information.

  • VPC name: Indicates the name of the authorization, which is used to select the backend address when an API is created. Make sure that this name is unique to facilitate further management.

4

Click OK to complete the authorization.

Repeat the preceding steps if you have multiple VPC instances or need to authorize multiple instances and ports.

2 Create an API

The process for creating an API is the same as that for creating other APIs. For more information, see Create an API.

When selecting the backend service address:

  • VPC channel: Set this parameter to Use VPC channel.
  • VPC authorization: Select the created authorization as required.

Configuration of other parameters for the API is consistent with that for other APIs.

5

Save the configuration. The API creation is complete.

3 Authorize a security group

Optional: You can skip this step if you use Server Load Balancer at the backend and have not modified the ECS security group authorization policy.

If ECS serves as the backend service of your API and you have modified the intranet inbound access policy of the security group, you must add an access policy to enable access of the following IP segments (configure the IP segments based on the region where the service is located).

Region Direction IP address
China East 1(Hangzhou) Intranet inbound 100.104.13.0/24
China North 2(Beijing) Intranet inbound 100.104.106.0/24
China South 1(Shenzhen) Intranet inbound 100.104.8.0/24
China East 2(Shanghai) Intranet inbound 100.104.8.0/24
Hong Kong Intranet inbound 100.104.175.0/24
Asia Pacific SE 1 (Singapore) Intranet inbound 100.104.175.0/24
EU Central 1(Frankfurt) Intranet inbound 100.104.72.0/24
Asia Pacific SE 3 (Kuala Lumpur) Intranet inbound 100.104.112.0/24
Asia Pacific SOU 1 (Mumbai) Intranet inbound 100.104.233.0/24
Asia Pacific SE 5 (Jakarta) Intranet inbound 100.104.72.0/24
Asia Pacific NE 1 (Tokyo) Intranet inbound 100.104.188.0/24
Asia Pacific SE 2 (Sydney) Intranet inbound 100.104.143.192/26

4 Test the API

You can test your API using the following methods:

5 Revoke authorization

If the authorized resource or port does not provide services, delete the corresponding authorization.

5 FAQ

Is there an extra cost for using this function?

No. This function is free of charge and no extra cost is required.

Can I bind multiple VPC instances?

Yes. You can add multiple authorizations if your backend service works in multiple VPC instances.

Why cannot I authorize my VPC?

Make sure that the VPC ID, instance ID, and port number are correct and that the authorization policy and VPC are within the same region.

If I authorize the API gateway, is my VPC secure?

If you authorize the API gateway to access your VPC, the network between the gateway and VPC is connected. Security restrictions are implemented, and VPC security issues will not occur.

  1. Security control authorization: Only the owner of the VPC can perform authorization.
  2. Exclusive channel between the API gateway and VPC after authorization: Other persons cannot use this channel.
  3. Authorization for the port of a certain resource: The gateway does not have the permission to access other ports or resources.
Thank you! We've received your feedback.