Skip to content

feat(apigateway): alb integration#36247

Open
badmintoncryer wants to merge 40 commits intoaws:mainfrom
badmintoncryer:alb
Open

feat(apigateway): alb integration#36247
badmintoncryer wants to merge 40 commits intoaws:mainfrom
badmintoncryer:alb

Conversation

@badmintoncryer
Copy link
Copy Markdown
Contributor

@badmintoncryer badmintoncryer commented Nov 30, 2025
edited
Loading

Issue # (if applicable)

Closes #36184

Reason for this change

REST API now supports private integration with ALB using VPC Link V2, without requiring a Network Load Balancer as an intermediary.

https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html

Description of changes

Added a new AlbIntegration class that enables direct integration between API Gateway REST API and Application Load Balancers using VPC Link V2.

  • Automatic VPC Link V2 creation if not provided
  • VPC Link reuse for multiple ALBs in the same VPC
  • Support for both proxy (HTTP_PROXY) and custom (HTTP) integration types
  • Support for imported ALBs with VPC information

Security Group Handling

The security group configuration follows the same pattern as the existing HTTP API (APIGatewayV2) ALB integration (HttpAlbIntegration):

  • By default, VpcLink is created with empty SecurityGroupIds (no security groups attached)
  • Users can optionally provide a custom VpcLink with explicit security groups for stricter security controls

This design ensures consistency between REST API and HTTP API when integrating with ALBs.

Describe any new or updated permissions being added

No new IAM permissions are added.

Description of how you validated changes

Add both unit and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team November 30, 2025 15:33
@github-actions github-actions bot added p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Nov 30, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 30, 2025
@pahud pahud mentioned this pull request Nov 30, 2025
Open
badmintoncryer
badmintoncryer commented Dec 1, 2025
View reviewed changes
badmintoncryer
badmintoncryer commented Dec 1, 2025
View reviewed changes
badmintoncryer
badmintoncryer commented Dec 2, 2025
View reviewed changes
badmintoncryer
badmintoncryer commented Dec 2, 2025
View reviewed changes
@badmintoncryer
Copy link
Copy Markdown
Contributor Author

badmintoncryer commented Dec 4, 2025
edited
Loading

  • Review unit test
  • investigate vpc link security group setting

@aws-cdk-automation aws-cdk-automation removed the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Dec 6, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 6, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results48 ran48 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 6, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates48 ran48 passed
TestResult
No test annotations available

@badmintoncryer badmintoncryer marked this pull request as ready for review December 7, 2025 02:39
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 7, 2025
@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Feb 9, 2026
@badmintoncryer @claude
fix(apigateway): close ALB listener security group to pass security g…
2d42124 
…uardian

Set `open: false` on ALB listener to prevent automatic 0.0.0.0/0
ingress rule creation, fixing ec2-no-open-security-groups.guard check.
The ALB is internal (internetFacing: false) so open ingress is unnecessary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@badmintoncryer @claude
Merge branch 'main' into alb and fix error codes
63cdf50 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mazyu36 mazyu36 mazyu36 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

apigateway: Support VPCLinkv2 for REST API v1

5 participants

@badmintoncryer @vumdao @grhaonan @mazyu36 @aws-cdk-automation