Alibaba Cloud Virtual Private Cloud (VPC) allows you to build an isolated network and customize its configurations, such as the IP address range, Classless Inter-Domain Routing (CIDR) block, route table, and gateway. You can also build a hybrid cloud architecture, namely, connect your VPCs to data centers by using virtual private networks (VPNs), Express Connect circuits, or Generic Routing Encapsulation (GRE) tunnels.

API Gateway allows you to create API operations for services that are deployed in VPCs. Before you begin, familiarize yourself with VPC. For more information, see the product details page of VPC.

To use a service in a VPC as the backend service of an API operation, you must first authorize API Gateway to access the VPC. The following flowchart shows how to create an API operation for a service that is deployed in a VPC.

1. Authorize API Gateway to access a VPC

To create an API operation for a service that is deployed in a VPC, you must first authorize API Gateway to access the service in the VPC. You can authorize API Gateway to access specific resources in the VPC by using a specific port, such as port 443 of a Server Load Balancer (SLB) instance or port 80 of an Elastic Compute Service (ECS) instance.

  • After authorization, API Gateway can access the resources in the VPC by using the specific port.
  • The authorization applies only when API Gateway accesses the resources in the VPC to handle API calls.
  • API Gateway can access only resources that it has the permission to access by using a port that it is authorized to use.

For example, if you authorize API Gateway to use only port 80 of an SLB instance named SLB 1 in a VPC named VPC 1, API Gateway can only access SLB 1 in VPC 1 by using port 80. API Gateway cannot access VPC 2 or other instances in VPC 1.

1.1 Create and configure a VPC

(1) Create a VPC and configure an SLB instance and an ECS instance in the VPC. Deploy a service that you want to use as the backend service in the VPC.

(2) Before you authorize API Gateway, you must obtain the following information about the VPC:

  • VPC ID: the ID of the VPC.
  • Instance ID: the ID of the instance where the backend service is deployed. It can be the ID of an ECS or SLB instance.
  • Port number: the port number that you want to authorize API Gateway to use for accessing the backend service.

1.2 Authorize API Gateway

Log on to the API Gateway console. In the left-side navigation pane, choose Publish APIs > VPC Access. On the VPC Access List page, click Create VPC Access.

In the Create VPC Access dialog box, set relevant parameters.

  • VPC Access Name: the name of the current authorization entry. You can select this name when you configure the backend service of an API operation. Make sure that the name is unique in API Gateway, which facilitates subsequent management.

Click OK.

If you need to authorize API Gateway to access multiple VPCs, instances, or ports, repeat the preceding steps.

2. Create an API operation

The procedure for creating an API operation with a service in a VPC as the backend service is basically the same as that for creating API operations with other types of backend services. For more information, see Create an API operation.

When you configure the backend service of the API operation, set the following parameter as required:

  • Set the VPC Access Name parameter to the name of the authorization entry that you created.

Other configurations are the same as those of API operations with other types of backend services.

After you complete the configurations, the API operation is created. Proceed to the next step.

3. Add API Gateway to a security group

This step is optional. If the backend service of the API operation is connected to an SLB instance, you can skip this step.

Assume that the backend service of the API operation is deployed on an ECS instance. You have defined a security group rule for inbound traffic from internal networks for the ECS instance. In this case, you must add the outbound IP address of the API group, to which the API operation belongs, to the security group rule.

Obtain the outbound IP address of the API group

The outbound IP address of an API group is the outbound IP address of the instance to which the API group belongs. To obtain the outbound IP address of the instance, log on to the API Gateway console. In the left-side navigation pane, choose Publish APIs > API Groups. On the Group List page, find the target API group and click the group name. On the Group Details page, view information about the instance to which the API group belongs.

In the left-side navigation pane, click Instances. On the Instance list page, find the target instance. The value of the VPC Network Egress Address parameter is the outbound IP address of the API group.

4. Test the API operation

You can test the API operation by using the following methods:

5. Revoke authorization

If the authorized resources or ports cannot provide services anymore, delete relevant authorization entries.

6. FAQ

Does API Gateway have a service charge?

No, API Gateway does not charge fees for the service itself.

Can I authorize API Gateway to access multiple VPCs?

If you need to use multiple services that are deployed in multiple VPCs as backend services, you can authorize API Gateway to access the VPCs by creating multiple authorization entries in API Gateway.

Why am I unable to authorize API Gateway to access a VPC?

If you are unable to authorize API Gateway to access a VPC, check whether the ID of the VPC, the ID of the instance on which the backend service is deployed, and the port number that you entered are correct. Make sure that the authorization entry is created in the region where the VPC resides.

Will the security of a VPC be affected after I authorize API Gateway to access the VPC?

After you authorize API gateway to access a VPC, API Gateway can access the VPC. The following built-in security policies in API Gateway ensure that the security of a VPC is not affected when API Gateway accesses the VPC:

  1. Only the owner of a VPC can authorize API Gateway to access the VPC.
  2. After API Gateway is authorized to access a VPC, an exclusive connection is established between API Gateway and the VPC. This connection cannot be used for other purposes.
  3. When you authorize API Gateway to access a VPC, you can authorize API Gateway to access specific resources by using a specific port. In this way, API Gateway cannot access other resources or use other ports.