I want to set up my Amazon API Gateway private API as a target behind a load balancer. Then, I want to use an AWS account to access my private API from an Application Load Balancer or a Network Load Balancer.
Resolution
To access your private API through AWS Direct Connect or Amazon Route 53, see Invoke a private API. You can also use an interface virtual private cloud (VPC) endpoint to access an API Gateway private REST API in another AWS account.
The following resolution uses an Amazon Virtual Private Cloud (Amazon VPC) endpoint elastic network interface IP address. With this IP address, you can add your private API as a target to the load balancer.
Important: API Gateway doesn't support custom domain names for private APIs. As a workaround, you can invoke and attach the domain to a load balancer. Then, use the following setup to invoke the private API.
Create an Amazon VPC endpoint
Complete the following steps:
- Open the Amazon VPC console.
- Choose Endpoints, and then choose Create endpoint.
- Enter the following information:
For Services, choose com.amazonaws.com.your-region.execute-api.
For VPC, select your Amazon VPC.
For Subnets, select two subnets in different Availability Zones (AZ IDs).
Note: If you have Amazon VPC endpoints already set up in your VPC with execute-api, then turn off private DNS.
- Choose Create endpoint.
- Select your endpoint, choose subnets, and then copy the IP address.
For more information, see Private REST APIs in API Gateway.
Create a private REST API and grant the Amazon VPC endpoint permission
Complete the following steps:
- Open the API Gateway console, and then choose Create API.
- For REST API, choose Build.
- In Settings, enter the following information:
For API name, enter a name for the API.
For Endpoint Type, choose Private.
For Endpoint IDs, enter the endpoint ID that you created.
- Choose Create API.
- In the navigation pane, choose Resource Policy.
- Enter the following policy:
{
"Version": "2012-10-17", "Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/*/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-081234d1ad408e"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/*/*"
}
]
}
Note: Replace vpce-081234d1ad408e with your VPC endpoint ID. Also, replace arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID with the Amazon Resource Name (ARN) of your API.
- Choose Save.
Create or import an AWS Certificate Manager public certificate
You can either request a public certificate, or import a certificate.
Create an Application Load Balancer or a Network Load Balancer
You can either create an Application Load Balancer, or create a Network Load Balancer.
Create the target group
Complete the following steps:
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- In the navigation pane, under Load Balancing, choose Load Balancers, and then choose Target Groups.
- Choose Create target group.
- Enter the following information:
For target type, choose IP addresses.
For Target group name, enter a name.
Application Load Balancer
For Protocol, choose HTTPS.
For Port, choose 443.
For VPC, select your VPC.
For Health check path, enter "/" and for Success codes, enter 200,403 so that the VPC endpoint shows as Healthy.
Network Load Balancer
For Protocol, choose TLS.
For Port, choose 443.
For VPC, select your VPC.
- Choose Next.
- For Specify IPs, enter the IP address that you copied in the Create an interface Amazon VPC endpoint section. Then, choose Add IPv4 address.
- Choose Create target group.
Configure the load balancer
Complete the following steps:
- Open the EC2 console.
- In the navigation pane, choose Load Balancers, and then choose Create Load Balancer.
Application Load Balancer
For Scheme, choose either Internet-facing or Internal depending on your configuration.
For Protocol, choose HTTPS.
For VPC and subnets, select your VPC and subnets.
Network Load Balancer
For Scheme, choose either Internet-facing or Internal depending on your configuration.
For Protocol, choose TLS.
For VPC and subnets, select your VPC and subnets.
For Security policy, select the default policy ELBSecurityPolicy-TLS (recommended).
For Default SSL/TLS certificate, choose From ACM.
Choose Select a certificate, and then select your certificate.
- Choose Create load balancer.
Note: The load balancer targets are in the IP addresses of the elastic network interface that the VPC endpoint created. To find those elastic network interfaces, select your VPC endpoint, and then open the Subnets tab.
Create a record in an Amazon Route 53 public or private hosted zone
Create a public hosted zone or a private hosted zone. Then, create a CNAME or an alias record and associate it with your Application or Network Load Balancer.
Create a Custom Domain
Create a custom domain in the API Gateway console. Then, map the Private Rest API under the custom domain.
Testing
For public load balancers, make a curl request from your local machine. For private load balancers, launch a new EC2 instance in one of the subnets for your load balancer. Then, make a curl request similar to the following example:
curl -v https://{custom-domain-name}/<resource-path>
A successful request returns a 200 OK response code. An unsuccessful request returns a 403 Forbidden response code or a DNS resolution error. If you encounter any issues, then see Troubleshoot your Application Load Balancers.
Related information
How do I connect to a private API Gateway over a Direct Connect connection?
How do I troubleshoot issues when connecting to an API Gateway private API endpoint?
Monitor REST API execution with Amazon CloudWatch metrics
Set up CloudWatch logging for REST APIs in API Gateway