For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I access private API Gateway endpoints from my VPC and maintain connectivity to my public APIs?
I want to access Amazon API Gateway private APIs from my Amazon Virtual Private Cloud (Amazon VPC) and maintain connectivity to my public APIs.
Short description
API Gateway private REST APIs can be accessed from Amazon VPC interface endpoints. However, you might not successfully connect to private and public APIs at the same time depending on if private DNS is turned on or off.
Resolution
Create a VPC interface endpoint for API Gateway
Complete the following steps:
- Open the VPC console.
- Choose Endpoints, and then choose Create endpoint.
- For Type, choose AWS Services.
- In the Services search bar, enter execute-api.
- For Service Name, choose com.amazonaws.region.execute-api.
- Choose the VPC dropdown list, and then select the VPC that you want to use to create the VPC endpoint.
- (Optional) To turn off private DNS, choose Additional settings, and then uncheck Enable Private DNS Name.
Note: Private DNS is turned on by default. - For Subnets, select your subnets.
- For Security groups, select the security groups that you want to associate with the endpoint network interfaces.
- Choose Create endpoint.
- Choose the Details tab, and then note of the Endpoint ID to use in the next section.
For more information, see Create a VPC endpoint.
Create a private API
Complete the following steps:
- Open the API Gateway console.
- Choose Create API.
- For REST API Private, choose Build.
Note: A private REST API is only available from within a VPC. - For API name, enter a name for your private API.
- For VPC endpoint IDs, enter your VPC endpoint ID, and then choose Add.
- Choose Create API.
- Deploy your API to a stage.
For more information, see Create a private API.
Create a public API
Complete the following steps:
- Open the API Gateway console.
- Choose Create API.
- For HTTP API or REST API, choose Build.
- For API name, enter a name for your public API.
- Choose Create API.
For more information, see Create an HTTP API.
Connect to public APIs with private DNS turned on
Important: Your VPC resources must have internet connectivity to connect to your public APIs.
To connect to public APIs with private DNS turned on, set up an edge-optimized custom domain names or Regional custom domain names. You can then invoke the API Gateway public API with the custom domain name, such as api.example.com. Connectivity to your private REST APIs continues to work through the private REST API endpoint.
If you want to connect from an on-premises network, then set up an Amazon Route 53 resolver inbound endpoint. To use the execute-api invoke URL, forward all the private DNS queries from your on-premises network to the inbound endpoint.
Connect to private APIs with private DNS turned off
Note: The default execute-api invoke URL can't connect to private REST APIs with private DNS turned off.
To connect to private APIs with private DNS turned off, create a private hosted zone for your custom domain in Route 53. In the private hosted zone, add an A record for your API identifier. Point the A record to the IP addresses of the interface VPC endpoint to use the default execute-api invoke URL of the private REST API.
Related information
Control and manage access to REST APIs in API Gateway
How do I access a private API Gateway API when the VPC endpoint uses an on-premises DNS?
- Language
- English
Relevant content
- AWS OFFICIALUpdated a year ago
