I'm trying to have an EC2 managed websocket connection fronted by a API Gateway for authorization and to limit exposed surface area of the host.

There currently is a service running in EKS with private nodes behind an internal NLB. I can initiate websocket sessions through the NLB directly (while inside the network). How can I put API Gateway in front of this setup?

I've tried setting up a RESTful API Gateway with the NLB as a VPC Link proxy resource, as per https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-nlb-for-vpclink-using-console.html. However, trying to make wss:// connections returns 301.

Websockets-type API Gateways seem to want to handle the websocket connection itself, and handle each new message / request independently. I couldn't figure out a way to let my service manage the connection and all incoming messages / requests.

Is there a way to accomplish this, or do I have to publicly expose my load balancer?