AWS-对于对外部服务的传出请求,我应该使用AWS API Gateway还是NAT GAteway从私有子网调用外部Web服务
[英]AWS- For outgoing requests to external services, Should i use AWS API Gateway or NAT GAteway to call external web services from private subnet
问题描述
Scenarios, where AWS API gateway is being used? 
方案,在哪里使用AWS API网关? Is this only for incoming or outgoing services also? 这也仅适用于传入或传出服务吗? Is NAT gateway is the preferred way of calling external services via internet gateway? NAT网关是通过Internet网关调用外部服务的首选方式吗? can that be replaced by AWS API Gateway? 可以用AWS API Gateway代替吗? Will the latter provide more security? 后者会提供更多的安全性吗?
two ways of calling external services- Option 1- a) configure the private subnet components to NAT gateway via route table. 两种调用外部服务的方法-选项1-a)通过路由表将专用子网组件配置为NAT网关。 b) request would be routed from private subnet -> NAT Gateway-> Internet Gateway-> external service? b)请求将从私有子网-> NAT网关-> Internet网关->外部服务路由?
Option 2- a) Configure the private subnet to call AWS API Gateway in the public subnet via route tables b) Request would be routed via private subnet-> AWS API gateway -> external service? 选项2- a)配置私有子网以通过路由表在公共子网中调用AWS API Gateway b)请求将通过私有子网-> AWS API Gateway->外部服务进行路由吗?
Kindly let me know which option seems better? 请让我知道哪个选项似乎更好?
1 个解决方案
解决方案1
2 2019-01-26 12:03:42
You are mixing things up. 您正在混淆。
If have instance/service sitting in a private subnet and you need this instance to have outbound access to the Internet, then you need some NATing/PATing service. 如果实例/服务位于私有子网中,并且您需要该实例具有对Internet的出站访问权限,则需要一些NATing / PATing服务。 In case of AWS, you can either attach NAT Gateway to your VPC or launch NAT instance in a public subnet in the same VPC and configure route tables accordingly. 如果是AWS,则可以将NAT网关连接到VPC,也可以在同一VPC的公共子网中启动NAT实例,并相应地配置路由表。 API Gateway has nothing to do with that. API网关与此无关。
API Gateway helps you build serverless, secure and highly available REST APIs which you can send an HTTP/HTTPS requests to. API网关可帮助您构建无服务器的,安全的和高度可用的REST API,可以将HTTP / HTTPS请求发送到该API。 Can you configure some API Gateway resource/method to point to an external service? 您可以配置一些API网关资源/方法以指向外部服务吗? Sure you can. 你当然可以。 But API Gateway cannot be targeted in your route table. 但是,API网关无法在您的路由表中定位。 Why? 为什么? Simply because route tables operate on the 3rd layer of ISO OSI model (routing via IP addresses) and API Gateway operates on Layer 7 of ISO OSI model (application layer). 仅仅因为路由表在ISO OSI模型的第三层(通过IP地址路由)上运行,而API网关在ISO OSI模型的第7层(应用层)上运行。
So here are things that you can do. 所以这是您可以做的事情。
- instance (private subnet) -> NAT instance -> Internet Gateway -> external service 实例(专用子网)-> NAT实例-> Internet网关->外部服务
- instance (private subnet) -> NAT Gateway -> Internet Gateway -> external service 实例(专用子网)-> NAT网关-> Internet网关->外部服务
- instance (private subnet) -> NAT instance/gateway -> Internet Gateway -> API Gateway -> external service 实例(专用子网)-> NAT实例/网关-> Internet网关-> API网关->外部服务
Or you can even launch a private API Gateway that will operate only inside of your VPC but again, it has nothing to do with granting access to the Internet. 或者,您甚至可以启动仅在VPC内部运行的专用API网关,但又与授予Internet访问无关。
About the security, we are not talking here about someone trying to access your resources (inbound access) but about you/your resources trying to access some external service. 关于安全性,我们这里不是在谈论有人试图访问您的资源(入站访问),而是在谈论您/您的资源试图访问某些外部服务。 You can and should control this via firewalls such as NACLs, Security Groups and even OS level firewalls. 您可以并且应该通过防火墙(如NACL,安全组甚至操作系统级别的防火墙)来控制此操作。 API gateway's security works the other way around, it protects you from malicious incoming requests/DDOS attacks and unauthorized use of your resources. API网关的安全性是相反的,它可以保护您免受恶意传入请求/ DDOS攻击和对资源的未授权使用。
In short, if there already exists an external service that you know that you want to access from inside of your private subnet, then API Gateway is completely useless to you. 简而言之,如果您已经知道要从私有子网内部访问外部服务,那么API网关对您完全没有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.