Project 2: Secure Access via API Gateway
Overview
This project integrates Amazon API Gateway with the Enterprise E-Commerce App built in Project 1.
Integration Logic
Instead of a standalone setup, this project bridges the Public World and our Private EKS Cluster.
1. The Challenge
- Our EKS Services run in Private Subnets.
- They are exposed via an Internal Network Load Balancer (NLB).
- We cannot access this NLB from the internet directly.
2. The Solution: VPC Link
We use API Gateway's VPC Link feature to create a tunnel into the VPC.
graph LR
User -->|HTTPS| APIGW[API Gateway]
APIGW -->|VPC Link| ENI[Elastic Network Interface]
ENI -->|Private IP| NLB[Internal NLB]
NLB -->|Traffic| Pods[EKS Pods]
Implementation (Terraform)
This code lives in EKS_Microservices_Project/infra/app_integration.tf but is conceptually the core of Project 2.
Step 1: Identify the NLB
We use a Terraform Data Source to find the NLB created by the EKS module in Project 1.
data "aws_lb" "eks_nlb" {
tags = {
"kubernetes.io/service-name" = "default/ecommerce-service"
}
}
Step 2: Create the Link
resource "aws_apigatewayv2_vpc_link" "eks_link" {
name = "ecommerce-link"
security_group_ids = [aws_security_group.link_sg.id]
subnet_ids = module.vpc.private_subnets
}
Step 3: Define the Route
Each Microservice endpoint in Project 1 (/orders, /products) gets a route here.
resource "aws_apigatewayv2_route" "orders_route" {
api_id = aws_apigatewayv2_api.ecommerce_api.id
route_key = "ANY /api/v1/orders"
target = "integrations/${aws_apigatewayv2_integration.orders_integration.id}"
}
Setup Guide
- Ensure Project 1 Infrastructure is Applied.
- Navigate to
EKS_Microservices_Project/infra. - The API Gateway code is already integrated into the main stack.
- Run
terraform applyto update the routes if you added new microservices.