amazon-web-servicesaws-api-gatewayamazon-vpcaws-elb

AWS API Gateway VPC Link to ELB returning Service Unavailable with HTTP503 in ApiGateway logs but nothing in ELB Logs


I'm having issues with setting up an AWS API Gateway VPC Link to an existing ELB in order to make a private endpoint public.

The error I receive when browsing to the API Gateway endpoint is {"message":"Service Unavailable"}

Here's project setup.

  1. EC2 instances within a private VPC
  2. EC2 added to a target group with port 80 listener
  3. ELB created with two rules: 1) HTTP:80 to HTTPS:443 2)HTTPS to target group in #2
  4. The Sec Groups used by the EC2 allow HTTP access only from the ELB
  5. The Sec Group on the ELB allows HTTPS traffic from specific IPs
  6. VPC Link created for the same VPC as #1, all 3 subnets included. New Sec Group created allowing HTTPS traffic from all.
  7. Sec Group in #5 (ELB) set to allow HTTP and HTTPS requests from SecGroup created in #6 (VPC Link)
  8. HTTP API Gateway created
  9. API Gateway Route created, /sample/{proxy+}, using an integration setup as a Private Resource, ALB/BLB, pointing at the ELB in #3, with a listener of HTTP (also tried HTTPS), method of ANY, and the VPC LInk set to the link created in #6
  10. Cloudwatch logs enabled for the API Gateway $default stage
  11. ELB Logging enable to S3.

The main platform works fine for people connecting via HTTPs via the ELB however any requests to the API Gateway endpoint wait for while then return the HTTP503 response with the body of {"message":"Service Unavailable"}

Cloudwatch logs show the HTTP503 response but do not give any other useful pieces of information. The ELBs logs show no requests coming in with the requested URL.

The results appear as if the VPC Link is not working and the request to the ELB is being rejected by the Security Group on the ELB even when the ELB's SecGroup is set to allow "All Traffic" from the SecGroup used by the VPC Link.

I'm at a lost as to what could be causing the issue and am hoping that someone can spot something I've missed along the way.

I've followed the various AWS Docs including:

  1. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-stages.html
  2. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html
  3. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vpc-links.html

None of these mention the SecGroup setup

I have been successful when I create a HTTP URI integration and point that at a endpoint that allows public requests. This is no good though as the application needs to remain private other than one or two endpoints.

Everything I've read suggests that the API Gateway -> VPC Link -> ELB -> EC2 approach should work

UPDATE 1

VPC Link Setup

  1. The VPC is pointing to the same VPC that the EC2 instances are running in which is the same VPC as the ELB
  2. All three subnets (172.30.0.0/20, 172.30.16.0/20 and 172.30.32.0/20) have been enabled.
  3. It has it's own SecGroup

API Gateway Integration

Selection Method: Manual Target Service: ALB/NLB Load Balancer: SM-01-ELB Listener: HTTP 80 VPC Link: SM01-VPC Link


Solution

  • According to docs, it said:

    VPC links enable you to create private integrations that connect your HTTP API routes to private resources in a VPC

    Did you create ALB and VPC Link located in private subnets? I assume you won't connect to ALB successfully if you use had placed it in private subnets.

    And can you also check if VPC Link's ENI is created or not?

    I need to put my questions here since comment section is quite small for me