How do I use an Application Load Balancer or a Network Load Balancer to invoke an API Gateway private API?

Resolution

To access your private REST API through AWS Direct Connect or Amazon Route 53, see Invoke a private API. You can also use an interface Amazon Virtual Private Cloud (VPC) endpoint to access an API Gateway private REST API in another account.

The following resolution uses IP addresses that are assigned to an execute-api Amazon VPC endpoint. You can add your private REST API as a target to a load balancer with the VPC endpoint's IP addresses.

Create an Amazon VPC endpoint

Complete the following steps:

1. Open the Amazon VPC console.
2. Choose Endpoints, and then choose Create endpoint.
3. For Services, choose com.amazonaws.your-region.execute-api.
4. For VPC, select your Amazon VPC.
5. For Subnets, select subnets in different Availability Zones.
6. Choose Create endpoint.
7. Select your endpoint, choose subnets, and then note the IP addresses.

For more information, see Private REST APIs in API Gateway.

Create a private REST API and grant the VPC endpoint permission to invoke your private API

Complete the following steps:

1. Open the API Gateway console.

2. Choose Create API.

3. For REST API, choose Build.

4. In Settings, for API name, enter a name for the API.

5. For Endpoint Type, choose Private.

6. (Optional) For Endpoint IDs, enter your endpoint ID.

7. Choose Create API.

8. In the navigation pane, choose Resource Policy.

9. Enter the following policy:

   {  "Version": "2012-10-17",  "Statement": [
       {
         "Effect": "Deny",
         "Principal": "*",
         "Action": "execute-api:Invoke",
         "Resource": "arn:aws:execute-api:your-region:ACCOUNT_ID:API_ID/*/*/*",
         "Condition": {
           "StringNotEquals": {
             "aws:SourceVpce": "vpce-081234d1ad408e"
           }
         }
       },
       {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "execute-api:Invoke",
         "Resource": "arn:aws:execute-api:your-region:ACCOUNT_ID:API_ID/*/*/*"
       }
     ]
   }

   Note: Replace vpce-081234d1ad408e with your VPC endpoint ID. Replace arn:aws:execute-api:your-region:ACCOUNT_ID:API_ID with your API method's Amazon Resource Name (ARN).

10. Choose Save.

Create or import an AWS Certificate Manager public certificate

You can either request a public certificate, or import a certificate.

Create the target group

Complete the following steps:

1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
2. In the navigation pane, under Load Balancing, choose Load Balancers, and then choose Target Groups.
3. Choose Create target group.
4. For Target type, choose IP addresses.
5. For Target group name, enter a name.
6. For Protocol, choose HTTPS for an Application Load Balancer or TLS for a Network Load Balancer.
7. For Port, choose 443.
8. For VPC, select your VPC.
9. For Health check protocol, choose HTTPS.
10. For Health check path, enter "/" and for Success codes, enter 200,403 so that the VPC endpoint shows as Healthy.
11. Choose Next.
12. For Specify IPs, enter the IP addresses that you noted.
13. Choose Add IPv4 address.
14. Add all the IP addresses, and then choose Include as pending below.
15. Choose Create target group.

Create an Application Load Balancer or a Network Load Balancer

For instructions, see create an Application Load Balancer, or create a Network Load Balancer.

Configure the load balancer

Complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Load Balancers, and then choose Create Load Balancer.
3. For Scheme, choose either Internet-facing or Internal.
4. For Protocol, choose HTTPS for an Application Load Balancer or TLS for a Network Load Balancer.
5. For Default actions, choose your target group to forward traffic to.
6. For VPC and subnets, select your VPC and subnets.
7. For Security policy, use the latest predefined security policy for an Application Load Balancer. For a Network Load Balancer, keep the default security policy.
8. For Default SSL/TLS certificate, choose From ACM.
9. Choose Select a certificate, and then select your certificate.
10. Choose Create load balancer.

Create a custom domain name

Create a custom domain name on the API Gateway console. Then, map the private Rest API under the custom domain name.

Create a record in a Route 53 public or private hosted zone

Create a public hosted zone or a private hosted zone. Then, create a CNAME or an alias record to point your custom domain name to your Application Load Balancer or Network Load Balancer.

Test your public or private load balancer

For public load balancers, run a curl command from your local machine.

For private load balancers, launch a new EC2 instance in the VPC where your load balancer resides. Then, run the following curl command:

curl -v https://{custom-domain-name}/<resource-path>

A successful request returns a "200 OK" response code. An unsuccessful request returns a "403 Forbidden" response code or a DNS resolution error.

For more troubleshooting, see How do I troubleshoot HTTP 403 errors from API Gateway?, Troubleshoot your Application Load Balancers, and Troubleshoot your Network Load Balancer.

Related information

How do I connect to a private API Gateway over a Direct Connect connection?

How do I troubleshoot issues when I connect to an API Gateway private API endpoint?

Monitor REST API execution with Amazon CloudWatch metrics

Set up CloudWatch logging for REST APIs in API Gateway