gpt4 book ai didi

amazon-web-services - AWS - 从公共(public) API 网关到 VPC 内 lambda 的路由

转载 作者:行者123 更新时间:2023-12-03 16:22:02 25 4
gpt4 key购买 nike

问题

从面向公众的 AWS 网络中的 API 网关到 VPC 子网中的 Lambda 函数,流量流经哪里?

Introducing Amazon API Gateway Private Endpoints

With this launch, you could build API-based services that did not require a publicly available endpoint. They could still interact with private services, such as databases, inside your VPC. enter image description here



背景

当 lambda 不在 VPC 中(在 AWS 面向公众的网络中)时,流量会通过 Internet。但不确定 lambda 何时在 VPC 中。

在 AWS 控制台中,我在 VPC 中创建了一个 lambda 函数,并确认 API 网关(不在 VPC 中)可以连接到 VPC 中的 lambda。

由于 lambda 在 VPC 中的子网中,它没有公共(public) IP,所以它不应该通过 Internet。但是,如 API Gateway Private Integration 中所述,没有用于从 API 网关连接到 VPC 中的 NLB 的 VPC 专用链接。 .

因此,我不知道交通流经的地方。

enter image description here

地形

地形 aws_api_gateway_integration资源, 连接类型 说:

(Optional) The integration input's connectionType. Valid values are INTERNET (default for connections through the public routable internet), and VPC_LINK (for private connections between API Gateway and a network load balancer in a VPC).



因此,它看起来可能会通过 Internet,因为 connection_type 默认为 INTERNET,而 VPC_LINK 当前用于 API Gateway Private Integration with NLB。
# Variables
variable "myregion" {
default = "us-east-2"
}

variable "accountId" {

default = var.account_id
}

# API Gateway
resource "aws_api_gateway_rest_api" "api" {
name = "api-lambda-vpc-test"
}

resource "aws_api_gateway_resource" "resource" {
path_part = "resource"
parent_id = "${aws_api_gateway_rest_api.api.root_resource_id}"
rest_api_id = "${aws_api_gateway_rest_api.api.id}"
}

resource "aws_api_gateway_method" "method" {
rest_api_id = "${aws_api_gateway_rest_api.api.id}"
resource_id = "${aws_api_gateway_resource.resource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "integration" {
rest_api_id = "${aws_api_gateway_rest_api.api.id}"
resource_id = "${aws_api_gateway_resource.resource.id}"
http_method = "${aws_api_gateway_method.method.http_method}"
integration_http_method = "POST"
type = "AWS_PROXY"
uri = "${aws_lambda_function.lambda.invoke_arn}"
}

# Lambda
resource "aws_lambda_permission" "apigw_lambda" {
statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.lambda.function_name}"
principal = "apigateway.amazonaws.com"

# More: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
source_arn = "arn:aws:execute-api:${var.myregion}:${var.accountId}:${aws_api_gateway_rest_api.api.id}/*/${aws_api_gateway_method.method.http_method}${aws_api_gateway_resource.resource.path}"
}

resource "aws_lambda_function" "lambda" {
filename = "lambda.zip"
function_name = "mylambda"
role = "${aws_iam_role.role.arn}"
handler = "lambda.lambda_handler"
runtime = "python3.6"

vpc_config {
security_group_ids = var.sg_ids
subnet_ids = var.subnet_ids
}
# The filebase64sha256() function is available in Terraform 0.11.12 and later
# For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
# source_code_hash = "${base64sha256(file("lambda.zip"))}"
source_code_hash = "${filebase64sha256("lambda.zip")}"
}

# IAM
resource "aws_iam_role" "role" {
name = "myrole"

assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
data "aws_iam_policy" "admin" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_role_policy_attachment" "admin" {
role = "${aws_iam_role.role.id}"
policy_arn = "${data.aws_iam_policy.admin.arn}"
}

最佳答案

正如@Marcin 所回答的那样,它通过 AWS 内部网络。

目前我对 API Gateway 集成的理解(如有错误请纠正我)。

希望其他人不必通过同样的努力来弄清楚它们。

enter image description here

更新

根据 How API Gateway talk to Firehose VPC endpoint ,目前的理解是 API 网关与 AWS 服务对话,这些服务不在 VPC 中,在 AWS 网络内部,而不是通过 Internet。

enter image description here
enter image description here

关于amazon-web-services - AWS - 从公共(public) API 网关到 VPC 内 lambda 的路由,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60678826/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com