AWS- For outgoing requests to external services, Should i use AWS API Gateway or NAT GAteway to call external web services from private subnet

Question

Scenarios, where AWS API gateway is being used? Is this only for incoming or outgoing services also? Is NAT gateway is the preferred way of calling external services via internet gateway? can that be replaced by AWS API Gateway? Will the latter provide more security?

two ways of calling external services- Option 1- a) configure the private subnet components to NAT gateway via route table. b) request would be routed from private subnet -> NAT Gateway-> Internet Gateway-> external service?

Option 2- a) Configure the private subnet to call AWS API Gateway in the public subnet via route tables b) Request would be routed via private subnet-> AWS API gateway -> external service?

Kindly let me know which option seems better?

Answer 1

You are mixing things up.

If have instance/service sitting in a private subnet and you need this instance to have outbound access to the Internet, then you need some NATing/PATing service. In case of AWS, you can either attach NAT Gateway to your VPC or launch NAT instance in a public subnet in the same VPC and configure route tables accordingly. API Gateway has nothing to do with that.

API Gateway helps you build serverless, secure and highly available REST APIs which you can send an HTTP/HTTPS requests to. Can you configure some API Gateway resource/method to point to an external service? Sure you can. But API Gateway cannot be targeted in your route table. Why? Simply because route tables operate on the 3rd layer of ISO OSI model (routing via IP addresses) and API Gateway operates on Layer 7 of ISO OSI model (application layer).

So here are things that you can do.

1. instance (private subnet) -> NAT instance -> Internet Gateway -> external service
2. instance (private subnet) -> NAT Gateway -> Internet Gateway -> external service
3. instance (private subnet) -> NAT instance/gateway -> Internet Gateway -> API Gateway -> external service

Or you can even launch a private API Gateway that will operate only inside of your VPC but again, it has nothing to do with granting access to the Internet.

About the security, we are not talking here about someone trying to access your resources (inbound access) but about you/your resources trying to access some external service. You can and should control this via firewalls such as NACLs, Security Groups and even OS level firewalls. API gateway's security works the other way around, it protects you from malicious incoming requests/DDOS attacks and unauthorized use of your resources.

In short, if there already exists an external service that you know that you want to access from inside of your private subnet, then API Gateway is completely useless to you.