API Connect

This blog post provides both an overview of private connectivity for API Connect on AWS SaaS and instructions on using it to connect API Connect instances on AWS to customer VPCs.

Available in API Connect advanced plans, we use AWS PrivateLink to facilitate creation of both inbound and outbound connections.  Inbound connections connect a customer VPC interface endpoint to a dedicated VPC endpoint service and router in the API Connect account.  Outbound connections connect a VPC interface endpoint in the API Connect account to an endpoint service in the customer account.

Both inbound and outbound configuration options can be found in the Catalog settings tab of a catalog.

Note that, once configured, private connections will be available for all catalogs in an instance.

Configuring inbound connections

Follow these steps to configure an inbound private connection for an instance:

1. Specify a service consumer ARN

The entity creating the VPC endpoint in the customer account must be pre-approved to access the VPC endpoint service in the API Connect account.

This can be a service role, user role, or even the root ARN for the customer account.  See the AWS documentation for more details.

2. Wait for backend infrastructure to be deployed

We next provision the backend infrastructure, including the VPC endpoint service with the pre-approval that allows the service to be visible to the service consumer.

Once the backend infrastructure deployment is complete, the service name of the VPC endpoint service and the private DNS name for the API gateway can be used to complete the private connection.

3. Create a VPC endpoint

In AWS, create a VPC endpoint as instructed in the API Connect UI, using the service name provided above.

4. Create a private hosted zone with private DNS entry

Create a private hosted zone in AWS Route53 for the domain of the private DNS name shown in the API Connect UI.

Create an alias A record in the private hosted zone pointing to the VPC endpoint DNS name shown in the AWS UI.

With these steps completed, the private DNS name shown in the API Connect UI can be used in place of the public DNS name for the API gateway to access an API Connect API privately.

Configuring outbound connections

Follow these steps to configure an outbound private connection for an instance:

1. Create an endpoint service

Create a VPC endpoint service behind which your private app will be accessible. See the AWS documentation for more details.

Once created, make note of the Service name of the endpoint service in the AWS UI.

Specify the Service name of the endpoint service in the API Connect UI.

2. Authorize the API Connect account to access your VPC endpoint service

Copy the AWS principal ARN from the API Connect UI.

Navigate to the Allow principals tab of the VPC endpoint service in AWS.

Specify the copied ARN in the Allow principals dialog.

Click Next in the API Connect  UI.

3. Accept the connection request from the API Connect VPC endpoint

Wait for a Pending connection to appear in the Endpoint connections tab of the VPC endpoint service. Accept the connection request.

Wait for the connection state to update to Available.

Click Next in the API Connect UI.

4. Copy VPC endpoint private DNS name

Copy the VPC endpoint private DNS name in the API Connect UI.

Use this DNS name in your API Connect API to connect to your application behind your VPC endpoint service.