All Products
Search
Document Center

API Gateway:Use API Gateway to access a backend service in a VPC

Last Updated:May 27, 2026

Create and publish an API with a VPC resource as the backend service, then call the API by using an AppCode. An AppCode is automatically generated when you set the API authentication method to Alibaba Cloud App.

Prerequisites

Note
  • SLB and ECS instances must be created, and a service must be running in the VPC.

  • In this example, an ECS instance in a VPC runs a web service deployed with Nginx on port 80.

Process

Complete the following steps to configure API Gateway access to a VPC backend service:

Create a VPC access authorization

Create a VPC access authorization to allow API Gateway to access your VPC.

  1. Log on to the API Gateway console. In the top navigation bar, select a region. In the navigation pane on the left, choose Manage APIs > VPCs.

  2. On the VPC Access Authorizations page, click Create Authorization in the upper-right corner.

  3. In the Create VPC Access dialog box, specify the VPC Access Name, VPC Id, Instance ID or IP Address, and Port Number parameters.

    image

    Note
    • You can specify a domain name in the Host field to access a vhost on an SLB or ECS instance.

    • In VPC Id, enter the ID of the VPC where your backend service resides. In Instance ID or IP Address, enter the instance ID or private IP address. You can find this information in the ECS instance details.

Important

For Application Load Balancer (ALB) instances, the network type must be VPC, and you cannot change the network type to Internet after you create the authorization. Otherwise, requests may fail to be sent to API Gateway, and you are responsible for the consequences.

Create an API group

APIs are organized in groups. Create an API group before you create an API.

  1. Log on to the API Gateway console. In the navigation pane on the left, choose Manage APIs > API Groups. On the API Groups page, click Create Group in the upper-right corner.

  2. In the Create Group dialog box, select Instances, set Group Name to nginx-demo and BasePath to /, and then click Confirm.

    image

Note
  • On the API Groups page, view the created group and click the group name to go to the Group Details page. You can perform operations such as Bind Domain Name, and Modify Basic Information.

  • API Gateway automatically assigns a public second-level domain name to the API group. This domain name is for debugging only and is limited to 100 calls per day in the China (Hong Kong) region and other regions outside the Chinese mainland, or 1,000 calls per day in regions in the Chinese mainland. Bind an independent domain name after you create an API group.

Create an API

  1. Log on to the API Gateway console. In the top navigation bar, select a region. In the navigation pane on the left, choose Manage APIs > API Groups.

  2. On the API Groups page, in the Actions column for the nginx-demo group you created, click Manage APIs.

  3. On the APIs page, click Create API in the upper-right corner.

  4. In the Basic Information step of the Create API wizard, configure the following parameters and click Next.

    Parameter

    Example

    Group

    nginx-demo

    API Name

    nginx-test

    Security Authentication

    Alibaba Cloud App

    AppCode Authentication

    Enable AppCode Authentication (Header & Query)

    Signature Algorithm

    HMAC_SHA256

    image

  5. In the Define API Request step, configure the following parameters and click Next.

    Parameter

    Example

    Protocol

    HTTP and HTTPS

    Request Path

    /nginx

    HTTP Method

    GET

    Request Mode

    Pass-through

    image

    Note

    This step defines how clients (web browsers, mobile apps, or business systems) request the API. In this example, Request Mode is set to Pass-through, which means API Gateway forwards requests to the VPC backend service without processing them.

  6. In the Define Backend Service step, configure the following parameters and click Next.

    Parameter

    Example

    Configuration Mode

    Customize Backend Service

    Backend Service Type

    VPC

    VPC Access Name

    ***-microservice

    Backend Request Path

    /

    HTTP Method

    GET

    Backend Service Timeout Period

    10000

    image

    Note

    This step configures the backend service type and URL. In this example, VPC is specified for Backend Service Type, the VPC access authorization you created earlier is specified for VPC Access Name, and a path is specified for Backend Request Path.

  7. In the Define Response step, configure the parameters on the page as needed and then click Create.

    image

    Note

    This step specifies response information for API documentation. You can set Response ContentType, Response Example, and Error Response Example. This example skips these settings. Click Create.

  8. In the message that appears, click Publish.

    image

  9. In the Publish API dialog box that appears, set Environment to Release, enter remarks in the Remarks section, and then click Publish.

    image

    Note

    API modifications take effect only after you publish the API to the corresponding environment. API Gateway provides three environments: Release, Pre, and Test.

Create an application and authorize the application to call the API

An application is the identity used to call an API. In the Create an API step, the authentication type is set to Alibaba Cloud App. After publishing the API, create and authorize an application to call it.

Create an application

  1. Log on to the API Gateway console. In the top navigation bar, select a region. In the navigation pane on the left, choose Call APIs > Apps.

  2. On the Apps page, click Create App in the upper-right corner.

  3. In the Create App dialog box, configure the App Name parameter and click Confirm.

    image

  4. On the Apps page, click the name of the application that you created to go to the App Details page. Two authentication modes are provided for the security authentication method Alibaba Cloud App: an AppKey and AppSecret pair and an AppCode. In this example, an AppCode is used. For more information, see Call an API in simple authentication mode.

    Create an app

Authorize the application to call the API

  1. Log on to the API Gateway console. In the top navigation bar, select a region. In the navigation pane on the left, choose Manage APIs > APIs.

  2. On the APIs page, find the nginx-test API and in the Actions column, click image > Authorize.

  3. On the Authorize page, set the Environment parameter to Release. Enter the name of the application you created in the search bar of the Choose Apps for Authorization section. In the search result, select the created application, click Add in the Actions column, and then click Confirm. A message appears to inform you that the application is authorized to call the API.

    Authorize

Allow the egress IP addresses of API Gateway in a security group

If the security group of your ECS instance does not allow all CIDR blocks over a specified port, add the egress IP addresses of the API Gateway instance where the API group resides to the security group.

  1. Log on to the API Gateway console. In the navigation pane on the left, choose Manage APIs > API Groups. On the API Groups page, click the name of the API group that you created.

  2. On the Group Details page, view the Instance Type parameter.

  3. In the navigation pane on the left, choose Instances and Clusters > Shared Instances or Instances and Clusters > Dedicated Instances based on the instance type that you obtained. On the page that appears, scroll to the Outbound Addresses parameter of the instance based on the instance ID to view the egress IP addresses of the instance.

    image

  4. Log on to the ECS console. In the navigation pane on the left, choose Instances & Images > Instances. Click the created ECS instance to go to the details page. Click the Security Groups tab and click the security group that you want to manage. On the Security Group Details tab, click the Inbound tab and then click Quick Add. In the Quick Add dialog box, configure the egress IP addresses of API Gateway.

    image

Debug the API

Use online debugging to verify that an API is correctly configured before calling it from clients.

Note
  • The Debug page supports request messages of up to 512 KB. For larger messages, use an SDK to debug the API.

  • The configured instance blacklists, whitelists, and IP address-based access control plug-ins must allow 47.245.113.207.

  • You cannot use this page to debug the JWT plug-in.

  • Only public domain names are supported for debugging.

  1. Log on to the API Gateway console. In the navigation pane on the left, choose Call APIs > Debug.

  2. On the Debug page, select the nginx-test API that you created, select Use AppCode as the Authentication Method, and then click Send Request. The response shown in the following figure indicates that the configuration is successful.

    image

    If the debugging fails, see the following documents:

Call the API

For more information, see Client-based API calls.

Note