How to Connect API Gateway to ECS Fargate using the AWS CDK
This article involves making your API publicly available on the internet, but note that it’s also possible to have a private API that is only accessible within our VPC. However, instead of an HTTP API we must instead use a REST API set up like this and a Network Load Balancer instead of an Application Load Balancer (VPC Links for REST APIs do not support ALBs). Due to these differences, this alternate setup likely deserves a separate article in the future.
Let’s say we want to deploy a serverless containerized app within private subnets and expose it to the internet via API Gateway. We can do so using an API Gateway HTTP API and a VPC Link. This allows us to provide a single entry point to our app without exposing any private subnet resources.
I recently was trying to figure out how to set this up and found this great resource that explains the architecture and includes a working CloudFormation template.
However, I wanted to convert the template to Python AWS CDK code so that I could combine it with other existing CDK code and easily make changes to it (working with vanilla CloudFormation YAML is quite difficult in my opinion).
After spending some time looking at the CDK Python reference, I finally got this working CDK code as a result. It assumes that you already have a VPC with private subnets created. When this file is deployed as a CloudFormation stack, open the URL associated with the newly created API and you should see this:
On lines ~30–80, we are creating the Application Load Balancer and the VPC Link required to route traffic from the HTTP API to our container.
On lines ~80–100, we are defining the HTTP API and creating a route with a proxy integration to the load balancer.
On lines ~100–180, we are defining the ECS cluster, service, and task that will run our container in Fargate.
Lastly, we are adding sufficient permissions for the security groups associated with the load balancer and ECS to communicate, and establishing the connection between the load balancer and the container by adding it to a target group.
From this point, we can also incorporate access control by adding an authorizer to our API route. For demonstration purposes, let’s add a lambda authorizer that will deny the user access unless their request contains the query parameter “?token=supersecret”.
To do so, first, define the authorizer Lambda function by creating a directory lambda_fns/ to store our lambda code within the same directory level as cdk.json and creating the file read_authorizer.py inside of it:
Then, replace lines ~80–100 of the CDK code with this, referencing the authorizer lambda and attaching the authorizer to our API route:
As a developer, I feel like there’s too little AWS reference code out there so I hope you all find this helpful and/or interesting!
More content at plainenglish.io
