AWS HTTP API 网关,具有指向私有 ALB 的自定义链接

问题描述 投票:0回答:3

我有以下设置

自定义域 

api.foo.co.uk
-> API 映射到阶段 
v1
-> HTTP API 路径 
ANY /{proxy+}
-> 私有 
VPC
链接 -> ALB Fargate

如果我点击自定义域 

api.foo.co.uk
我会得到 
503  "message": "Service Unavailable"
如果我直接点击 API 
p3dqjsdfszlv7.execute-api.eu-west-1.amazonaws.com/v1/
我会得到同样的结果

在 API 的 CW 中我看到以下内容:

{
"auth_status":"-",
"aws_endpoint":"-",
"cognito_auth_provider":"-",
"cognito_auth_type":"-",
"cognito_identity_id":"-",
"cognito_identity_pool_id":"-",
"domain_name":"api.foo.co.uk",
"domain_prefix":"api",
"err_msg":"Service Unavailable",
"err_response":"INTEGRATION_NETWORK_FAILURE",
"err_string":" "Service Unavailable"",
"http_method":"GET",
"integration_error":"-",
"integration_error_msg":"-",
"integration_int_status":"200",
"integration_status":"-",
"path":"/v1/",
"principa_ord_id":"-",
"protocol":"HTTP/1.1",
"request_id":"cSJJ2h7BjoEEJ-g=",
"route_key":"ANY /{proxy+}",
"source_ip":"22.22.103.68",
"stage":"v1",
"status":"503",
"time":"16/Mar/2021:14:08:24 +0000",
"user":"-",
"user_agent":"insomnia/2021.1.0"}

有人知道问题可能是什么吗?我已查看,但找不到错误消息 

err_response":"INTEGRATION_NETWORK_FAILURE"
的任何内容或可能的原因。

我还启用了 ALB 上的访问日志,但它们是空白的,所以我假设它没有达到 ALB 的程度

amazon-web-services api aws-api-gateway
3个回答
1
投票

我也遇到了同样的问题

INTEGRATION_NETWORK_FAILURE
。我设法通过在访问日志中包含所有 
$context.integration*
变量来找到信息更丰富的错误消息(请参阅 https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables .html)。就我而言,有一条错误消息,显示“由于与端点通信的网络错误,请求失败”。

我无法说出确切的原因或是什么导致它消失,但我可以分享最终工作设置的一些 CloudFormation 片段:

  1. ALB 设置 - 监听端口 80 上的 HTTP 请求:
  ApplicationLoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${EnvironmentName} ALB security group"
      GroupName: !Sub "${EnvironmentName}-load-balancer-sg"
      VpcId:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      SecurityGroupIngress:
        - CidrIp: "0.0.0.0/0"
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
      SecurityGroupEgress:
        - CidrIp: "0.0.0.0/0"
          IpProtocol: "-1"

  SharedApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub "${EnvironmentName}-shared-lb"
      Scheme: "internal"
      Type: "application"
      Subnets:
        - 'Fn::ImportValue': !Sub "${EnvironmentName}:${LBSubnetType}1"
        - 'Fn::ImportValue': !Sub "${EnvironmentName}:${LBSubnetType}2"
      SecurityGroups:
        - !Ref ApplicationLoadBalancerSecurityGroup
      IpAddressType: "ipv4"

  SharedApplicationLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    DependsOn:
      - SharedApplicationLoadBalancer
    Properties:
      LoadBalancerArn: !Ref SharedApplicationLoadBalancer
      Protocol: "HTTP"
      Port: 80
      DefaultActions:
        - Type: fixed-response
          FixedResponseConfig:
            StatusCode: 404
            MessageBody: Shared ALB has no such route
            ContentType: text/plain
  1. 每服务 ALB 目标组:
  SharedAlbServiceXTargetGroup:
    Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
    Properties:
      Name: !Sub "${EnvironmentName}-alb-${ServiceName}-tg"
      HealthCheckIntervalSeconds: 30
      HealthCheckPath: "/ping"
      HealthCheckProtocol: "HTTP"
      HealthyThresholdCount: 2
      Port: 8080
      Protocol: "HTTP"
      UnhealthyThresholdCount: 2
      VpcId:
        "Fn::ImportValue": !Sub "${EnvironmentName}:VPC"
      TargetType: "ip"

  SharedAlbServiceXListenerRule:
    Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
    Properties:
      Actions:
        - Type: "forward"
          TargetGroupArn: !Ref SharedAlbServiceXTargetGroup
      Conditions:
        - Field: "host-header"
          HostHeaderConfig:
            Values:
              - !Ref HttpApiCustomDomain
      ListenerArn: !Ref SharedApplicationLoadBalancerListener
      Priority: !Ref SharedAlbListenerRulePriority
  1. 专有网络链接:
  PrivateApiGatewayVpcLinkSecurityGroup:
    Condition: PrivateAccess
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      VpcId:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      GroupName: !Sub "${EnvironmentName}-apigw-vpclink"
      GroupDescription: !Sub "SG for API Gateway private VPC link in ${EnvironmentName} environment"
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0

  PrivateApiGatewayVpcLink:
    Condition: PrivateAccess
    Type: "AWS::ApiGatewayV2::VpcLink"
    Properties:
      Name: !Sub "${EnvironmentName}-api-gateway-vpclink"
      SecurityGroupIds:
        - !Ref PrivateApiGatewayVpcLinkSecurityGroup
      SubnetIds:
        - "Fn::ImportValue": !Sub "${EnvironmentName}:PrivateSubnet1"
        - "Fn::ImportValue": !Sub "${EnvironmentName}:PrivateSubnet2"
  1. API网关集成
  HttpApiIntegration:
    Type: "AWS::ApiGatewayV2::Integration"
    Properties:
      ApiId: !Ref HttpApi
      Description: !Sub "Private ALB Integration for ${ServiceName} in ${EnvironmentName} env"
      IntegrationType: "HTTP_PROXY"
      IntegrationMethod: "ANY"
      ConnectionType: "VPC_LINK"
      ConnectionId: !Ref PrivateApiGatewayVpcLink
      IntegrationUri: !Ref SharedApplicationLoadBalancerListener
      PayloadFormatVersion: "1.0"
0
投票

我也遇到了 INTEGRATION_NETWORK_FAILURE 错误;

我使用默认方案类型(面向 Internet)而不是内部创建了 ALB。所以改变方案就可以了(现在看来很明显了:-))

0
投票

这可能是 503 错误的根本原因。 VPC 链接需要使用私有子网。如果我将公共子网与私有子网放在一起,大多数情况下都会返回 503 错误。从 VPC 链接中删除公有子网后,该问题已修复。

https://repost.aws/questions/QUR19Keq0OQ_qPin1MOBbvzA/http-api-alb-integration-5xx-errors

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.