Hello, I'm new to Retool. I'm helping someone in my organization evaluate using it. We want to connect it to API's that are hosted in a private AWS VPC. I read this document: Access a Private AWS Resource
Our internal API services are fronted by a private ALB. Routing is managed at the ALB with host name headers to target groups. Using the linked approach of putting an NLB in front of the ALB, is it possible to set host headers on the Retool side so that API requests will route properly through the internal ALB?
I was able to make some progress. I got an NLB setup connected to an ALB with security groups in place. We have TLS termination in place on the ALB. How do I configure an API resource under Retool with this setup? I have an Elastic IP address for the NLB as described in the linked doc. I have services with domains and SSL certificates setup on the ALB. What settings do I need in Retool's API resource to connect to the private service through the exposed NLB IP?
Hi, just checking in again to see if there is any guidance for how to connect to VPC internal services with the NLB setup described on the Retool docs or if there are any other options for this type of connectivity.
Hey @PlatformDev! Thanks again for stopping by office hours.
If I understand correctly, your primary challenge at this point is just correctly routing the requests from Retool to the appropriate target group via your ALB - is that right? In your first post, you mention that you want to manage this with a Host header. Assuming that is still the case, you can set request headers when configuring the resource within Retool.
Note that I'm using my NLB'S AWS-assigned address as the base URL in the above example, but you could just as easily use an elastic IP. The other important thing to keep in mind is the fact that you'll need to add Retool's cloud addresses to the allowlist for your NLB's security group.
That should hopefully get you unstuck, but let me know if I'm missing something or if you have any follow up questions!
@Darren Thanks for getting back to me. Our current blocker is SSL termination on the ALB. Requests coming through the NLB need to set SNI host with the ALB expected domain.
I can do this with curl where xx.xx.xx.xx is the NLB EIP and myapp.example.com is the host configured for SSL termination on the internal ALB. This routes a request from external into the VPC internal application and gets a response.
I don't see anywhere on the "Configure Rest API" screen where I can configure the SNI host. Setting an HTTP header with Host: myapp.example.com doesn't work for SSL negotiation.
Are there any options for connecting a REST API resource to a VPC internal ALB? It doesn't seem like VPC peering is supported. I only did this NLB setup based on a document found on Retool's documentation site.
Got it - that makes sense. I've done a fair bit of digging here and don't think there's currently a good solution, unfortunately. The general pattern of routing external traffic to the private ALB via an NLB is valid, but it unfortunately breaks down when there are multiple certificates defined on the ALB.
One option is to define additional ALBs for each resource that you're hitting from Retool, but I certainly recognize that such a setup isn't ideal. The other option that may initially seem more extreme - but could very well suit your use case - is to host your Retool instance within your VPC.
I've done a fair bit of digging here and don't think there's currently a good solution, unfortunately. The general pattern of routing external traffic to the private ALB via an NLB is valid, but it unfortunately breaks down when there are multiple certificates defined on the ALB.