API Gateway Proxy to API Gateway


I was building a serverless API with Lambdas when I encountered an issue regarding Authorizers quotas. However, to bypass it, I thought about splitting the API into several APIs and then rejoining them with an API Gateway.

So, originally I had the following APIs:

  • Service API
    • /path1/operation1
    • /path1/operation2
    • /path2/operation3
    • /path2/operation4
  • Internal API
    • /some-other-ops

And, after splitting the Service API, my idea was to come up with this:

  • Path1 API
    • /operation1
    • /operation2
  • Path2 API
    • /operation3
    • /operation4
  • Service API
    • /path1/{proxy+} > Path1 API
    • /path2/{proxy+} > Path2 API
  • Internal API
    • /some-other-ops

My concern here is about egress traffic. When doing such HTTP proxy from one API Gateway to another API Gateway, I'm specifying the "public" execute endpoint of the API, henceforth making HTTP requests. Do these requests get outside AWS network, or is API Gateway aware that we are doing "internal" requests to a public endpoint (so traffic is not duplicated and does not count towards egress traffic billing)?

Also, if someone has a better solution about how the original Service API can be split, all help is very much appreciated. Thanks!

  • This sounds relatively complicated for a pretty mundane problem. I would look into having your service quota increased first before going too much further with this approach. And going out on a limb, but considering how you configure proxying by providing the domain name, I would highly doubt it would "detect" and attempt to redirect traffic. Very likely it has to go over the open internet and would count against egress traffic costs.


  • Thanks for the comment @Dakota. Yeah, I have already requested the quota increase, but I'm still pushing forward with this solution as I may reach the limit again (and, well, I would need to request a Quota increase on every region/account and the SLA of the team which handles that Quota takes a few days to respond). I think I was able to come up with quite an elegant solution, which is using a custom domain name. Basically, I've now a custom domain (api.example.org), and I'm using Base Path Mappings to point to each Path API (api.example.org/path1 -> Path1 API, etc.).

1 Answer

I 100% agree with the comment above - this is adding a lot of complexity for not much extra gain. If you are running very large services where the service limits are going to impact you then I'd suggest that running those APIs in different accounts without a front-end API is a better idea. Otherwise you're just moving the limit problem around.

And if you are operating at that scale I'd also recommend reaching out to your local AWS Solutions Architect to talk about what patterns will work better for you.

To answer your other question though: Traffic between AWS services always stays on the Amazon backbone network. This is called out in the VPC FAQ where it talks about two instances communicating via public IP addresses - this is also true for (in this case) API Gateway calling another API Gateway.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions