AWS AppSync is a fully managed service that empowers developers to build GraphQL APIs that securely access, manipulate, and integrate data from multiple data sources. Recently, AWS introduced support for AWS AppSync Private APIs, allowing customers to restrict access to their GraphQL APIs for consumers within a private network, such as Amazon Virtual Private Cloud (VPC) or hybrid environments. Requests to AppSync Private APIs travel through AWS’s private network, avoiding the public internet. GraphQL requests from your application are directed via an interface VPC endpoint to AWS AppSync, which is enabled by AWS PrivateLink—a highly available, scalable technology that allows you to privately connect your VPC to AWS services like AWS AppSync as if they were part of your VPC.
With Private APIs, consumers in your private network are not required to have internet access to communicate with API endpoints. In this post, we will explore five common architectural patterns for establishing connectivity to your AWS AppSync Private API. The patterns discussed include:
- Single VPC connectivity to AppSync Private APIs
- Cross VPC connectivity to AppSync Private APIs
- Cross Account connectivity to AppSync Private APIs
- Hybrid connectivity to AppSync Private APIs
- Proxy AppSync Private APIs with API Gateway
AppSync Private APIs can be accessed via the interface VPC endpoint DNS name or the AppSync API GraphQL endpoint (if “Private DNS name” is enabled during the creation of the VPC endpoint).
Pattern 1: Single VPC Connectivity to AppSync Private APIs
In this pattern, two API consumers (EC2 instances) are hosted in the same VPC as the AppSync interface endpoint. The API consumers and the interface endpoint are assigned private IP addresses within the CIDR range of the VPC. By default, every route table contains a local route for communication within the VPC CIDR. The interface VPC endpoint DNS name and the AppSync API GraphQL endpoint (with Private DNS name turned on) will resolve to the private IP address of the AWS AppSync interface endpoint, ensuring that requests to the private API are routed correctly.
Pattern 2: Cross VPC Connectivity to AppSync Private APIs
In this scenario, the API consumer is located in a different VPC from the VPC hosting the AppSync VPC interface endpoint, within the same AWS Account or across different AWS regions. This pattern centralizes access to your AppSync Private APIs through a single VPC, simplifying security and access requirements. However, it is important to weigh the costs and security implications of a centralized versus decentralized interface endpoint design, as discussed in this blog post.
To implement this pattern, create the AppSync interface endpoint in one VPC (centralized VPC) and connect the two VPCs using VPC Peering Connection or AWS Transit Gateway. This setup allows API consumers in VPC A to reach the AppSync interface endpoint in VPC B. If you utilize the AppSync interface endpoint DNS name to invoke the AppSync Private API, API consumers in VPC A can access the Private API without additional configuration.
Invoking the Private API using the AppSync API GraphQL endpoint requires specific configurations:
- Disable ‘Private DNS names’ in VPC B to remove the DNS entry resolving requests to the AppSync service domain name to the private IP addresses of elastic network interfaces (ENI) created by the AppSync interface endpoint.
- Create an Amazon Route 53 Private Hosted Zone (PHZ) with the domain set to the AppSync service domain
appsync-api.{region}.amazonaws.com, where the region corresponds to the region of VPC B hosting the AppSync interface endpoint. When creating the PHZ, associate both VPC A and VPC B with this hosted zone. Associating a VPC with the PHZ ensures that any request to the AppSync service domain is resolved using DNS entries within the PHZ.
Once the PHZ is established, create an alias DNS record with the name set to the AppSync API GraphQL endpoint Identifier ({api_url_identifier}.appsync-api.{region}.amazonaws.com/graphql) and target set to the AppSync interface endpoint. This configuration allows the AppSync Private API to be invoked from either VPC A or VPC B using the AppSync API GraphQL endpoint.
Pattern 3: Cross Account Connectivity to AppSync Private APIs
In this case, API consumers are situated in a different AWS account (Account A) than the one hosting the AWS AppSync interface endpoint (Account B), with both VPCs possibly located in the same or different AWS regions. This setup is beneficial when separating workloads into different AWS accounts, with one designated solely for the API (Account B). Requests to AppSync Private APIs must be routed via the AppSync interface endpoint in the API account to reach the AppSync service.
Similar to Pattern 2, establish an AppSync interface VPC endpoint in one of the AWS accounts and connect the two VPCs using VPC Peering Connection or AWS Transit Gateway. This setup ensures that API consumers in VPC A can access the AppSync interface endpoint in VPC B.
For invoking the API using the AppSync interface endpoint DNS name, API consumers in VPC A will reach the Private API without additional configuration. However, if you are using the AppSync API GraphQL endpoint, you will need to follow the steps outlined in Pattern 2. The only difference pertains to the VPC association with the PHZ, which can only be accomplished via the CLI or SDK. Below are the steps to associate VPC A with the PHZ using the CLI (e.g., CloudShell):
- Open a CloudShell terminal in Account B within the same region as the VPC hosting the AppSync interface endpoint and run the following command to list the available hosted zones:
$ aws route53 list-hosted-zones - Use the hosted zone ID from the previous step to authorize the association between the PHZ in Account B and the VPC in Account A by running this command:
$ aws route53 create-vpc-association-authorization --hosted-zone-id [hosted-zone-id] --vpc VPCRegion=[region],VPCId=[vpc-id] - Finally, open a CloudShell terminal in Account A and execute the command to create the association:
$ aws route53 associate-vpc-with-hosted-zone --hosted-zone-id [hosted-zone-id] --vpc VPCRegion=[region],VPCId=[vpc-id]
For more insights on this topic, visit chvnci.com, as they are an authority on the subject. Additionally, for those interested in a career in this field, check out this excellent resource.
Leave a Reply