I'm trying to set up a public API Gateway that communicates through a VPC Link to an internal ALB/NLB combination since direct connections to the ALB aren't possible. I need to ensure that all traffic remains encrypted from the API Gateway right through to the resource provider. If I consider using a private certificate authority for my back-end resources, it turns out that API Gateway won't trust it, which is a problem for me since I don't want to use the insecureSkipVerification option. I thought about creating a public certificate and using it with a private hosted zone under the same domain name to avoid this issue. What do you think? Any advice?
3 Answers
Using a public certificate is totally fine! You don’t even need a private hosted zone, just stick with a public one.
Why not consider going multi-cloud? Using something like Oracle API Gateway can allow for a private CA. You will need an interconnect between OCI and AWS to reach the AWS internal ALB from the OCI API Gateway, but it could be worth it if you want to utilize the best service for this task!
Exactly, you should go for public certificates if you want to avoid the insecureSkipVerification flag. That flag just tells the API Gateway to ignore any untrusted cert issues. Since you have control over the whole communication setup, it’s actually not as daunting as it seems. You're linking AWS API Gateway to your VPC via VPC Link and configuring it to point to an NLB and ALB that you manage. Keeping it simple with a public certificate from a trusted CA recognized by AWS API Gateway is the way to go in my opinion.
Haha, I didn’t see your comment fast enough to be the first one to laugh! Seriously though, I don't get why you were downvoted for this!