By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to use custom domain name with private API gateway

0

We have a private API gateway and we need to use a custom domain name, however based on AWS docs, it says it's not supported https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html Is there any workaround?

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Route 53AWS Certificate Manager
Language
English
profile picture
Salim
asked 8 months ago2821 views
2 Answers
0
Accepted Answer

You’re correct, ACM validation of a public TLS certificate issued by ACM requires a public hosted zone or a public domain name (public domain name zone outside Route53) that you own because ACM validates public TLS certificates by either DNS validation or Email and both require a publicly accessible domain name or zone. https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html

Just to recap, what you need to do for generating a public TLS certificate and get it verified by ACM, is the following:

  1. Using ACM Console, request a public TLS certificate for your public domain name that you will use. Example: api.example.com.
  2. Choose either DNS validation or Email validation based on your preference.
  3. Wait for some time until ACM is able to validate the domain ownership.
  4. Once validated, ACM will be generating the TLS certificate and you can associate it with your ALB/NLB and the API Gateway.

Let me know how it goes and I’ll be happy to assist.

AWS
khanakee
answered 8 months ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago
  • Salim
    8 months ago

    Thanks for clarifying the ambiguity around public and private hosted zones with respect to TLS generation in ACM. I went through the steps you provided and worked perfectly. It would be nice to have the private API Gateway support custom domain name natively without throwing additional layer of elastic load balancing. Nevertheless, at least we have a working solution. Thank you!

0

As you stated, private APIs do not support custom domain names. However, there is a workaround: https://serverlessland.com/repos/apigw-private-custom-domain-name

profile pictureAWS
EXPERT
Uri
answered 8 months ago
  • Salim
    8 months ago

    Thanks for your reply. Based on the link you provided it says: “We use a private hosted zone in association with the VPC. The CNAME resolves to the FQDN of the private load balancer, in this example internal-0123-abcd.elb.us-east-1.amazonaws.com. The load balancer terminates TLS with the ACM certificate for private.internal.example.com. For more details, refer to the documentation on private hosted zones.”

    Now that implies that I can have a private hosted zone to generate the TLS certificate of my domain name in ACM too, which is confusing, because ACM validation of the TLS requires a public hosted zone and doesn’t work with PHZ. The repo that was shared includes an Email validation method using a PHZ. https://github.com/aws-samples/serverless-samples/blob/main/apigw-private-custom-domain-name/iac/certificate.yaml

    I’m a bit puzzled on this part.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content