How is SSL termination done at the AWS API Gateway?

Question

Is it possible to do SSL termination at the AWS API Gateway itself rather than terminating at a downstream application load balancer (ALB)? I am considering an architecture that routes requests from API Gateway to a network load balancer (NLB) to Fargate container tasks using a VPC link. I prefer not to terminate SSL at the Fargate task level because I believe that requires application code changes, but without an ALB in the mix to do SSL termination, it seems I need to terminate either at the API Gateway or at the Fargate task level.

I found some sites that reference SSL termination at the API Gateway, but I don't see AWS docs about that and don't see how to do that via the AWS console. Is it possible, and if so, how is it done?

I've used info at these links:

• Allow request from API Gateway to private ALB
• https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

Answer 1

If you mean specifically AWS API Gateway, TLS termination will always happen at the gateway, since it only provides a TLS endpoint. It works as a proxy that only handles incoming HTTPS connections. You don't have the option to pass the incoming HTTPS call directly across the proxy. However, the backend can use other transports like HTTP or HTTPS.

You don't have to do anything special to turn on this behavior (TLS termination on the gateway), since it is the only way AWS API gateway operates.

Answer 2

For AWS, yes it happens on API Gateway but in general it can either happen on API Gateway or Load balancer