API Gateway (control plane) VPC endpoint services are documented but do not appear to exist. What am I missing? Are these services not yet available, or are they no longer available?

0

As per the documentation at https://docs.aws.amazon.com/general/latest/gr/apigateway.html (accessed 18th Oct 2024), each region should have an API Gateway control plane VPC endpoint service. For example, apigateway.eu-west-2.amazonaws.com. However, I'm unable to locate these services:

$ aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.eu-west-2.apigateway --region eu-west-2

An error occurred (InvalidServiceName) when calling the DescribeVpcEndpointServices operation: The Vpc Endpoint Service 'com.amazonaws.eu-west-2.apigateway' does not exist

I've checked several regions [us-east-1, ca-central-1, eu-central-1, eu-west-1, and more] but need help locating these VPC endpoint apigateway services.

By contrast, the API gateway data plane VPC endpoint services, which are also referenced in the documentation mentioned above, do exist:

$ aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.eu-west-2.execute-api --region eu-west-2

{
    "ServiceDetails": [
        {
            "ServiceName": "com.amazonaws.eu-west-2.execute-api",
.
.

What am I missing? Are these apigateway services not yet available? Have they been decommissioned? Do the services go by another name? I've searched the internet but cannot ascertain their existence.

3 Answers
0

The endpoint you are looking for is the execute-api.<region>

These are available to create in your VPC under vpc endpoints.

I don’t believe you can create an api gateway control pane vpc endpoint in a vpc. You have to use the Public api.

profile picture
EXPERT
answered 3 months ago
0

The Endpoint (apigateway.eu-west-2.amazonaws.com) does exist. It is the Amazon API Gateway control plane public endpoint for the eu-west-2 region [1]. You can see a list of API Service Endpoints here [1].

However, these are public endpoints, unless you have created an interface endpoint for the service which allows for private connectivity from within the VPC. For example, Lambda interface endpoints allows you to call Lambda APIs privately from within the VPC without requiring internet access [2].

However, not all AWS services support VPC Endpoints. For those services, internet access is still required as the API calls will use the public endpoint. Please see list of AWS services that integrate with AWS PrivateLink [3].

Currently, the Amazon API Gateway control plane for calling APIs for these services respectively does not support VPC Interface Endpoints. Thus, you cannot connect to them privately via an interface endpoint and must use the public endpoint.

In general, you won't be able to reach AWS API's without internet access, unless they support interface endpoints.

Additionally, most AWS services have control plane (configures the service i.e API Calls) and data planes (use of the actual service). For example, execute-API (data plane) and control plane (apigateway) are separate concepts. Only data plane is supported for PrivateLink/Interface Endpoints at this time.

[1] Amazon API Gateway endpoints and quotas - Amazon API Gateway control plane - https://docs.aws.amazon.com/general/latest/gr/apigateway.html#apigateway_region_control_plane

[2] Configuring interface VPC endpoints for Lambda - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html

[3] AWS services that integrate with AWS PrivateLink - https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

profile pictureAWS
EXPERT
answered 3 months ago
-1

It appears that there is a discrepancy between the documentation and the actual availability of API Gateway control plane VPC endpoint services. Based on the information provided and the AWS CLI commands you've run, it seems that the API Gateway control plane VPC endpoint services are not currently available as described in the documentation.

The API Gateway consists of two components: the control plane for creating and managing APIs, and the data plane for calling deployed APIs. While the data plane VPC endpoint services (com.amazonaws.[region].execute-api) are available and functioning as expected, the control plane VPC endpoint services (com.amazonaws.[region].apigateway) do not seem to exist.

This situation could be due to one of several reasons:

  1. The feature may not have been implemented yet, despite being documented.
  2. The feature might have been temporarily removed or disabled.
  3. There could be an error in the documentation, and the control plane VPC endpoints might not be intended to be available as interface endpoints.

Given that you've checked multiple regions and encountered the same issue, it's unlikely to be a regional or temporary problem.

For the time being, you can continue to use the public endpoints for the API Gateway control plane operations. If you need to perform these operations from within a VPC without internet access, you might need to use a NAT gateway or other networking solutions to reach the public endpoints.

It would be advisable to contact AWS support for clarification on this discrepancy between the documentation and the actual service availability. They would be able to provide the most up-to-date and accurate information regarding the status of API Gateway control plane VPC endpoint services.
Sources
Amazon API Gateway Supports Endpoint Integrations with Private VPCs
Amazon API Gateway endpoints and quotas - AWS General Reference

profile picture
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions