Integrate Amazon API Gateway with Amazon EKS - aws-api-gateway

I'm integrating the API Gate with EKS, using CDK
Following this architecture as below
I'm using the ALB Controller which provisions a NLB when I deploy an k8s service with type LoadBalancer
The problem is, how can I aware when the NLB will be provisioned, how to get its "object reference" then connect it to a VPC link for API gateway resources to access?
Can you please help for a CDK sample?

Related

AWS APIGateway to Istio ALB to EKS Workloads

We have a set of microservice APIs hosted on AWS EKS behind the Istio Service Mesh (which is exposed as an ALB ingress).
We have two ALB ingress for Istio, one meant for external traffic (from internet) and one meant for internal traffic (within the VPC).
The APIs are mostly meant for internal traffic. We also want to create an AWS APIGateway route to the internal Istio ALB for these APIs (the APIGateway will manage authentication).
Here are the steps we have completed:
We are using HTTP AWS Gateway. We cant use REST AWS Gateway since that only works on NLBs and we have an ALB for our Istio workloads.
We have created a VPC connector to allow HTTP AWS Gateway to access our internal ALBs.
We can see that the request is reaching the Istio envoy service from the APIGateway but is not getting forwarded further. This is because the API gateway is hitting our ALB but not passing any HOST header. So Istio doesn't know where to send the request.
So, how do we achieve the following:
Have multiple internal APIs hosted over a single ALB routed from AWS APIGateway?
Ensure Istio forwards the request from APIGateway to the appropriate service?

How to integrate AWS api gateway with EKS cluster to access the microservices deployed on cluster IP using ELB

I have created EKS cluster in that cluster created 2 nodes & deployed few microservices on cluster IP.
As cluster IP is only internally accessible so wanted to configure it with AWS API gateway using ELB.
When you create an ingress in kubernetes, it automatically creates a load balancer for the ingress.
If you are using route 53 as your dns manager then after you have created an ingress you can add an A record to point to the newly created Application Load Balancer.
Please refer to the AWS document here to create ingress controllers:
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
One solution to the problem is to change the service to a Private NLB using the load balancer controller and then link this nlb to api gateway via VPC link
Further process and documentation for the process can be found here

How to integrate Active Directory/AWS IAM to EKS Kubernetes Dashboard access

We have a Kubernetes dashboard created in the kube-system namespace in AWS EKS. We are allowing the accesss to the Kubernetes dashboard by allowing the IP on the inbound rule of the Kubernetes Dashboard ALB security group. Is there a way we can integrate active directory or AWS IAM users authenticate to the Kubernetes dashboard instead of IP based access?
Yes, we are integrating AD for K8S dashboard. You have to configure DEX as an OIDC provider and use the connecter as LDAP.
Below are link which can guide you
Dex.
https://github.com/dexidp/dex
What is dex?
https://thenewstack.io/kubernetes-single-sign-one-less-identity/
Guide to configure
https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/

Microservices Api gateway and Identity Server 4 kubernates

I have microsevices and SPA app. All of them run on docker with docker compose. I have ocelot api gateway. But gateway knows ip address or container names of microservices for reaching . I add a aggregater service inside ocelot app. And I can reach to all services from aggregator service with ips.
But I want to move kubernates. I can scale services. there is no static ip. How can I configure .
I have identity service. This service knows clients ip addresses. Again same problem.
I searched for hours. I found some keywords. Envoy, Ingress, Consul, Ocelot . Can someone explain these things ?
It sounds like your question is related to Service Discovery.
In Kubernetes, the native way an "API Gateway" is implemented, is by using Ingress resources and Ingress Controllers. If you use a cloud provider, they usually have a product for this, or you can use a custom deployed within the cluster.
Service Discovery the Kubernetes way, is by referring to Service resources, e.g. the Ingress resources maps URLs (in your public API) to services. And your app is deployed as a Deployment resource, and all replicas (instances) is exposed via a Service resource. An app can also send request to other apps, and it should address that request to the Service resource for the other app. The Service resource does load balancing to the replicas of the receiving app.
you can use the service name to connect with the service instead of the client IP.
for example : curl HTTP://<service.name>.<namespace name>.svc.cluster.local
now if you are looking forward to list of API gateway and Identity server for Kubernetes
there are several options however it all depends on requirement.
For basic requirement nginx ingress and other ingress is available while if you are looking for API gateway :
Kong APi gateway
Ambassador api gateway
TYK API gateway
part of that service mesh can be also useful not in all scenario because it's mostly used for managing internal traffic (east-west).
API gateway is mostly used for managing edge traffic.
List of identity servers :
keycloak
Cognito IAM (AWS)
ingress controllers :
GCE ingress
Nginx ingress controller
Kong ingress controller
Gloo
HA proxy
AKS gateway
istio ingress

Does Istio on AWS requires AWS ALB?

I will install Istio as a service mesh on AWS EKS. I know that Istio provides its own Ingress Gateway. What I am confused about is: Do we still need to use AWS ALB or ELB in front of Istio Ingress Gateway?
Given that Istio will create a Service for its Ingress Deployment of type LoadBalancer, Kubernetes will take care of provisioning the ELB for you. No need to create it yourself although you could also configure the Service to point to an existing ELB.
The linked Service is outdated and for ease of reference only. The latest Istio chart is actually here. You should be able to download it and confirm the Service configuration.