Skip to content

API Gateway

Jeeva

Documentation on basics of how to setup and access a Private API are here.

I would follow these initially to get it setup and test accessibility with one of the auto-generated private API endpoints. Documentation on creating Usage Plans with API Keys is here.

Custom domain name to private APIs with NLB

  1. It is possible to make use of ALB or NLB to proxy the requests to your private API gateway endpoint, allowing you to make use of a custom domain name with a private API.
    client -> ALB or NLB -> interface VPC endpoint -> API Gateway

  2. You will need to perform the following in addition to the normal private API configuration:

    1. Choose a domain name to use for the API which you have control of. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
    2. Request or import a certificate into ACM for the domain name you chose. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html

  3. Create a target group containing the IP addresses of the VPC interface endpoint's ENIs, protocol set to HTTPS and port set to 443 (there should be one ENI per subnet/AZ specified when you created the VPC endpoint for API Gateway).

  4. Create an internal ALB with an HTTPS listener pointing to the created target group, specifying the ACM certificate from step https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-application-load-balancer.html

  5. Create an API Gateway custom domain name for the name you chose and use the same ACM certificate you created.

  6. Create a base path mapping for the custom domain pointing to the API and stage you require.

  7. The custom domain name and mapping is not to route requests (private APIs are not public) but instead for API Gateway to internally route the request based on the Host header provided by the requester. Without this, the host header sent could not be internally mapped to the appropriate API https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

  8. Create a Route53 private hosted zone for the parent domain of the custom domain name, selecting your VPC.

  9. Create a DNS CNAME record in the private hosted zone for the chosen name pointing to the DNS A record of the ALB.

  10. Allow time for DNS propagation.

  11. Call the API using the chosen DNS name and path you defined in the base path mapping.