Merge pull request #2897 from biswanathmukherjee/biswanathmukherjee-feature-apigw-vpclink-alb-ecs

Amazon API Gateway private integration with Application Load Balancer with VPC LinkV2

Author: julianwood

apigw-vpclink-alb-ecs/.dockerignore

@@ -0,0 +1,9 @@
+node_modules
+npm-debug.log
+.git
+.gitignore
+README.md
+.env
+.nyc_output
+coverage
+.kiro

apigw-vpclink-alb-ecs/Dockerfile

@@ -0,0 +1,25 @@
+# Use official Node.js runtime as base image
+FROM node:24-alpine
+
+# Set working directory in container
+WORKDIR /app
+
+# Copy package files
+COPY package*.json ./
+
+# Install dependencies
+RUN npm ci --only=production
+
+# Copy application source code
+COPY src/ ./src/
+
+# Expose port 3000
+EXPOSE 3000
+
+# Create non-root user for security
+RUN addgroup -g 1001 -S nodejs
+RUN adduser -S nodejs -u 1001
+USER nodejs
+
+# Start the application
+CMD ["npm", "start"]

apigw-vpclink-alb-ecs/README.md

@@ -0,0 +1,209 @@
+# REST APIs using Amazon API Gateway private integration with Application Load Balancer
+
+This sample project demonstrates how API Gateway connects to Application Load Balancer using VPV Link V2.
+
+## Requirements
+
+- [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+- [AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) (AWS SAM) installed
+- [Node 24 or above](https://nodejs.org/en/download) installed
+- [Docker] installed
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+
+   ```bash
+   git clone https://github.com/aws-samples/serverless-patterns
+   ```
+
+2. Change directory to the pattern directory:
+
+   ```bash
+   cd serverless-patterns/apigw-vpclink-alb-ecs
+   ```
+
+3. Create an ECR repository:
+
+   ```bash
+   aws ecr create-repository --repository-name products-api --region <your-region>
+   ```
+
+4. Get the login token and authenticate Docker:
+
+   ```bash
+   aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<your-region>.amazonaws.com
+    ```
+
+5. Install dependencies:
+
+   ```bash
+   npm install
+   ```
+
+6. Build the Docker image and push it to ECR:
+
+    ```bash
+    # Build the Docker image
+    docker build --platform linux/amd64 -t products-api .
+
+    # Tag the image for ECR
+    docker tag products-api:latest <account-id>.dkr.ecr.<your-region>.amazonaws.com/products-api:latest
+
+    # Push the image to ECR
+    docker push <account-id>.dkr.ecr.<your-region>.amazonaws.com/products-api:latest
+    ```
+
+7. From the command line, run the following commands:
+
+   ```bash
+   sam build
+   sam deploy --guided
+   ```
+
+8. During the prompts:
+
+   - Enter a stack name
+   - Enter the desired AWS Region e.g. `us-east-1`.
+   - Enter VpcCidr - keep the default value
+   - Enter ECRImageURI - Replace with your ECR URI from the previous step. e.g. <account-id>.dkr.ecr.<your-region>.amazonaws.com/products-api:latest
+   - Allow SAM CLI to create IAM roles with the required permissions.
+   - Keep default values to the rest of the parameters.
+
+   Once you have run `sam deploy --guided` mode once and saved arguments to a configuration file (samconfig.toml), you can use `sam deploy` in future to use these defaults.
+
+9. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for next step as well as testing.
+
+## How it works
+
+The SAM template deploys the following resources:
+
+![End to End Architecture](diagram/architecture.png)
+
+Here's a breakdown of the steps:
+
+1. **Amazon API Gateway**: The API Gateway exposes a REST API endpoint. The API Gateway connects to Application Load Balancer using VPC link V2.
+
+## Testing
+
+### Using EC2 Instance test internal ALB 
+
+1. Open a terminal in your laptop and use [curl](https://curl.se/) to send a HTTP GET request to the `InternalALBEndpoint`. Replace the value of `InternalALBEndpoint` from `sam deploy` output.
+
+```bash
+curl -X GET <InternalALBEndpoint>
+```
+
+Expected Response:
+This request will timeout and you will not get any response. This is an internal ALB endpoint. Hence, this is not accessible over public internet.
+
+2. [Launch an EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in one of the private subnets within the same VPC. Refer the `sam deploy` output for the VPC, subnet and security group details.
+
+3. [Connect to your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-connect-to-instance)
+
+4. Install curl if not available:
+
+```bash
+# Amazon Linux/RHEL/CentOS
+sudo yum install -y curl
+
+# Ubuntu/Debian
+sudo apt-get update && sudo apt-get install -y curl
+```
+
+5. Test the  products endpoint functionality
+
+```bash
+curl -X GET <InternalALBEndpoint>
+```
+
+Expected Response:
+
+```json
+{
+  "products": [
+    {
+      "id": "1",
+      "name": "Sample Product",
+      "description": "A demo product for testing",
+      "price": 29.99,
+      "category": "Electronics"
+    },
+    {
+      "id": "2",
+      "name": "Demo Widget", 
+      "description": "Another test product",
+      "price": 15.50,
+      "category": "Gadgets"
+    },
+    {
+      "id": "3",
+      "name": "Test Item",
+      "description": "Third demo product", 
+      "price": 99.99,
+      "category": "Tools"
+    }
+  ]
+}
+```
+
+6. Now, test the API Gateway API endpoint. Replace `APIEndpoint` with the value from `sam deploy` output.
+
+```bash
+curl -X GET <APIEndpoint>
+```
+
+Expected Response:
+
+```json
+{
+  "products": [
+    {
+      "id": "1",
+      "name": "Sample Product",
+      "description": "A demo product for testing",
+      "price": 29.99,
+      "category": "Electronics"
+    },
+    {
+      "id": "2",
+      "name": "Demo Widget", 
+      "description": "Another test product",
+      "price": 15.50,
+      "category": "Gadgets"
+    },
+    {
+      "id": "3",
+      "name": "Test Item",
+      "description": "Third demo product", 
+      "price": 99.99,
+      "category": "Tools"
+    }
+  ]
+}
+```
+
+## Cleanup
+
+1. Delete the EC2 instance created for testing.
+
+2. To delete the resources deployed to your AWS account via AWS SAM, run the following command:
+
+```bash
+sam delete
+```
+
+3. Delete the ECR repository. Ensure that you are deleting the correct repository.
+
+
+```bash
+aws ecr delete-repository --repository-name products-api --region <your-region> --force
+```
+
+---
+
+Copyright 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0

apigw-vpclink-alb-ecs/apigw-vpclink-alb-ecs.json

@@ -0,0 +1,93 @@
+{
+  "title": "Amazon API Gateway private integration with Application Load Balancer",
+  "description": "This sample project demonstrates how API Gateway connects to Application Load Balancer using VPV Link V2.",
+  "language": "Node.js",
+  "level": "200",
+  "framework": "AWS SAM",
+  "introBox": {
+    "headline": "How it works",
+    "text": [
+      "Amazon API Gateway receives the HTTP GET request.",
+      "The API Gateway routes the request to Application Load Balancer using VPC link V2.",
+      "The Application Load Balancer routes the request to one of the tasks under Amazon ECS cluster."
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/apigw-vpclink-alb-ecs",
+      "templateURL": "serverless-patterns/apigw-vpclink-alb-ecs",
+      "projectFolder": "apigw-vpclink-alb-ecs",
+      "templateFile": "template.yaml"
+    }
+  },
+  "resources": {
+    "bullets": [
+      {
+        "text": "AWS Lambda tenant isolation",
+        "link": "https://docs.aws.amazon.com/lambda/latest/dg/tenant-isolation.html"
+      },
+      {
+        "text": "AWS Blog - Build scalable REST APIs using Amazon API Gateway private integration with Application Load Balancer",
+        "link": "https://aws.amazon.com/blogs/compute/build-scalable-rest-apis-using-amazon-api-gateway-private-integration-with-application-load-balancer/"
+      }
+    ]
+  },
+  "deploy": {
+    "text": ["sam build", "sam deploy --guided"]
+  },
+  "testing": {
+    "text": ["See the GitHub repo for detailed testing instructions."]
+  },
+  "cleanup": {
+    "text": ["Delete the stack: <code>sam delete</code>."]
+  },
+  "authors": [
+    {
+      "name": "Biswanath Mukherjee",
+      "image": "https://serverlessland.com/assets/images/resources/contributors/biswanath-mukherjee.jpg",
+      "bio": "I am a Sr. Solutions Architect working at AWS India. I help strategic global enterprise customer to architect their workload to run on AWS.",
+      "linkedin": "biswanathmukherjee"
+    }
+  ],
+  "patternArch": {
+    "icon1": {
+      "x": 15,
+      "y": 50,
+      "service": "apigw",
+      "label": "API Gateway"
+    },
+    "icon2": {
+      "x": 40,
+      "y": 50,
+      "service": "vpc-endpoint",
+      "label": "VPC Link V2"
+    },
+    "icon3": {
+      "x": 65,
+      "y": 50,
+      "service": "alb",
+      "label": "ALB"
+    },
+    "icon4": {
+      "x": 90,
+      "y": 50,
+      "service": "ecs",
+      "label": "Amazon ECS"
+    },
+    "line1": {
+      "from": "icon1",
+      "to": "icon2",
+      "label": ""
+    },
+    "line2": {
+      "from": "icon2",
+      "to": "icon3",
+      "label": ""
+    },
+    "line3": {
+      "from": "icon3",
+      "to": "icon4",
+      "label": ""
+    }
+  }
+}