- Newest
- Most votes
- Most comments
All the options you've listed are valid although it looks like the first two are mixing prod and no-prod environments which you don't want to do.
The 3rd option (if technically possible is the cleanest). You could configure the on-premise resolvers to either override the CNAME resolution ( example for BIND: https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html) or just create local zones for their private API hostnames ({restapi-id}.execute-api.{region}.amazonaws.com) and include A records directly to the IP addresses of the API endpoints (they don't change).
One addition option that comes to mind would be to deploy ALBs in front of the Private API endpoints. It's still a proxy approach but at least using managed services instead of NGINX.
API requests would go to an internal ALB first (using any domain/hostname) which would forward it to the IP addresses of Private API endpoints (again IPs don't change). One extra step required would be to create appropriate mappings under "Custom Domain Tab" of API Gateway and correlate the domain used on ALB with the actual API. Because private mapping is not included you would create it as regional or edge mapping and it would still work.
Tom
Relevant content
- asked 6 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago