Can we associate Centralize VPC endpoint (execute API) with Private Rest API gateway

0

Hello, Account A - Shared service VPC where VPC endpoint deployed Account B - Rest private API gateway deployed I have VPC endpoint (execute API) deployed in a shared services VPC and have association with other VPC using Route 53 private hosted zone. can we associate centralized VPC endpoint with Private Rest API gateway in another account. and access the URL from account B.

1 Answer
3
Accepted Answer

Hello.

Yes, you can access a Private REST API Gateway in Account B via a centralized VPC endpoint (interface VPC endpoint) deployed in Account A

Steps to Set Up Cross-Account Access to Private API Gateway.

1. Create a Private API Gateway in Account B:

  • Go to API Gateway in the AWS Management Console of Account B.
  • Create a new Private API and deploy it.

2. Set Up VPC Endpoint in Account A:

  • In Account A, ensure you have a VPC Endpoint (with the type set to Interface) created for the API Gateway service (com.amazonaws.region.execute-api).
  • Configure the VPC Endpoint to allow traffic from the security group or VPC in Account B that will be accessing it.

3. Add Resource Policy to Private API Gateway:

  • Go to your Private API in Account B and add a Resource Policy to allow access from the centralized VPC endpoint in Account A.
  • The policy should look something like this.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:<region>:<account-id>:<api-id>/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "<vpc-endpoint-id>"
        }
      }
    }
  ]
}

4. Set Up Route 53 Private Hosted Zone:

  • In Account A, ensure your Route 53 private hosted zone has a record that points to your Private API Gateway's URL.
  • This allows services within the centralized VPC to resolve the Private API Gateway endpoint correctly.

5. Access the API from Account A:

  • From resources in Account A (like EC2 instances), you can access the Private API Gateway using the URL provided by the API Gateway.
  • Ensure the security group attached to the VPC endpoint allows inbound traffic from the EC2 instances or resources trying to access the API.
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
profile pictureAWS
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions