By using AWS re:Post, you agree to the Terms of Use

Private Route 53 to API Gateway


Desired Scenario:

  • Private Route 53
  • To API Gateway
  • To Lambda
  • … and so on Why Route 53 for this private situation? Reason: The thought is that the API-gateway is ugly to hit without Route 53.

To add in case it matters to someone here: The request to our AWS solution from an internal non-AWS system will be something like once every 10 minutes. Also, we will be putting in fail-over for this solution.

Have Done So Far

We set up the API Gateway to the Lambda. Investigated the heck out of Route 53 and more. and more. Getting slightly buried in great documentation and sorting out hot-new vs older approaches:

Note: How we set up the API Gateway to the Lambda was via CDK’s LambdaRestApi and lambda.Function using @aws-cdk/aws-apigateway and @aws-cdk/aws-lambda respectively. May refactor this via . Need to look at this later when time or tonight.

Request for Help

Conceptually, what should we be looking at? Bonus points: What topic should I post CDK posts at? This might warrant its own post elsewhere :)

2 Answers
Accepted Answer

I will complain about the solution with NLB. Why? It's not serverless anymore because NLB is alive all the time and you need to pay for it. Using API Gateway and Lambda we can pay only for usage.

But going back to the question.

FinneyCanHelp, is it a private API Gateway?

If not, you can easily go with CustomDomain available in API Gateway.

If yes, you need to make some tricks. You can go with the solution from Oli or use Route53 alias. In this doc, you can find all methods of invoking Private API Gateway.

profile picture
answered 10 months ago
  • "private API Gateway" = true

  • Then you can use the automatically created Route53 alias to communicate with private API Gateway as I linked above. It will automatically route your traffic through VPC Endpoint to the API Gateway. But remember to add resource policy to API Gateway to limit traffic only from your VPC or from VPC Endpoint.

    Btw. how are you communicating from non-AWS workload to private resources in the VPC?

  • In regards to "how are you communicating from non-AWS workload to private resources in the VPC?" AWS Direct Connect is part of it from what I understand. In the past, others used VPCE's to route an AWS-thing's traffic from non-AWS to AWS over a private Direct Connect

    • VPC: Virtual Private Cloud
    • VPCE: VPC Endpoint

    Use VPCE (of type Interface) to route traffic from non-AWS-system to AWS Route 53. Route 53 to API-Gateway API-Gateway to Lambda

    This is related: and reading the Conclusion at the bottom is important.


If I understand you correctly, you would like to front API Gateway with a friendly hostname configured in Route53. If this is what you are after, consider this post - . It's currently an easy workaround that you can use by fronting an NLB with API Gateway but using a custom domain name for your private API Gateway resources.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions