How to set VPC for API gateway v2 websocket connection using CloudFormation

Question

Unable to define Integration type 'VPC link' for a websocket route integration request using Cloudformation.

We don't use serverless, but have existing microservices delivering websocket functionality. These microservices run on a private network and are only available through a VPC link to the EKS cluster where they run on.

All of the online Cloudformation examples related to AWS API gateway/websockets use serverless integration.

I'm able to configure the integration type "VPC link" manually using the AWS Console, but there seems no support for doing so using Cloudformation. Or at least it's not clear at all on how to achieve this.

Cloudformation documentation also explicitly states that for AWS::APIGatewayV2::Integration.ConnectionType that the only available type is "INTERNET" and not the "VPC_LINK".

Anyone any idea if this is achievable, and if not, what other options do I have to automate this?

Infrastructure is setup using Terraform and I already needed to "fallback" to CloudFormation because of the lack of support for API Gateway/websockets, but it seems CloudFormation isn't supporting everything yet.

Answer 1

I am afraid I'm having a similar problem. I am unable to create API Gateway Websocket API integration with a private ALB (http integration) using VPC Link.

I can successfully integrate, using cloudFormation, an Api Gateway HTTP API with an internal ALB using VPC link as per this.

But, even though AWS::APIGatewayV2::Integration.ConnectionType supports both INTERNET and VPC_LINK as per documentation, it does not seem to work and the cloud formation stack fails with this error:

VpcLink V2 are not supported for WEBSOCKET Apis. Only Http Apis are supported. (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException

A cloud formation sample on how I attempted it

websocketApiGateway:
  Type: AWS::ApiGatewayV2::Api
  Properties:
    Name: websocket-gateway
    Description: Api Gateway for websocket
    ProtocolType: WEBSOCKET
    RouteSelectionExpression: $request.body.action

connectRoute:
  Type: AWS::ApiGatewayV2::Route
  Properties:
    ApiId: !Ref websocketApiGateway
    RouteKey: $connect
    AuthorizationType: NONE
    OperationName: ConnectRoute
    RouteResponseSelectionExpression: $default
    Target: !Join
      - /
      - - integrations
        - !Ref connectIntegration

connectIntegration:
  Type: AWS::ApiGatewayV2::Integration
  Properties:
    ApiId: !Ref websocketApiGateway
    Description: Websocket $connect integration
    IntegrationType: HTTP_PROXY
    IntegrationMethod: ANY
    ConnectionType: VPC_LINK
    ConnectionId: !Ref privateLink
    IntegrationUri: # with VPC_LINK I can't use a well formed url, it's necessary to use the ALB's ARN
      Fn::ImportValue: alb-http-listener-id
    RequestParameters:
      "integration.request.header.domainName": "context.domainName"
      "integration.request.header.stage": "context.stage"
      "integration.request.header.connectionId": "context.connectionId"
    PayloadFormatVersion: 1.0

privateLink:
  Type: AWS::ApiGatewayV2::VpcLink
  Properties:
    Name: private-link
    SecurityGroupIds:
      - !Ref securityGroup
    SubnetIds:
      - !Ref privateNetworkA
      - !Ref privateNetworkB
      - !Ref privateNetworkC

If anyone has further information, please do post it. This lack of support and confusing documentation is unfortunate.

Answer 2

I stumbled upon the same issue. I think I solved it by using stage variables, like the API Gateway web console suggests. So you need to set ConnectionID to the string ${stageVariables.vpcLinkId}. You would need to create a AWS::ApiGatewayV2::Stage resource, that has a stage variable called vpcLinkId, and contains the ID of the VPC link (which you can !Ref). Finally the IntegrationUri needs to be set/constructed using http:// appended with the ALB's DNS name. This will let you successfully create the VPC integration.

I'm still figuring out if IntegrationType should be HTTP or HTTP_PROXY, and if creating request and/or response templates is required.. But that's another issue :-)