Private Api Gateway architecture

Hello Laeli,

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources [1].

It is best practice to add additional security layer in front of your API Gateway when API is exposed to public network and source of the requests in unknown. However, in case of private API by design, Private APIs can only be accessed from your virtual private cloud in Amazon VPC by using an interface VPC endpoint [2]. Thus, it is not mandatory to use WAF with your Private API.

Having said that, In case you are exposing your private API to partner account [ cross account scenario ] [3] and/or have a requirement of custom security check based on rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body or block specific user agents. Then, creating custom WEB ALC and integrating WAF with private API would be beneficial.

Should you still have additional queries or concern, please feel free to reach out to AWS Premium Support with support case and share more details on specific use case for better assistance.

Reference : [1] Using AWS WAF to protect your APIs - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

[2] Creating a private API in Amazon API Gateway - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

[3] https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce