How can I connect to API Gateway from my on-premises network?
Last updated: 2022-08-31
I want to connect to Amazon API Gateway from my on-premises network. How can I do this?
API Gateway API types include REST APIs (edge-optimized and Regional API endpoints), HTTP APIs, WebSocket APIs, and private REST APIs. REST APIs, HTTP APIs, and WebSocket APIs can be connected from on-premises networks directly. Private REST APIs can only be accessed from within an Amazon Virtual Private Cloud (Amazon VPC) using an interface VPC endpoint.
Before you begin, verify that your on-premises network:
- has connectivity to the internet.
- firewall allows bidirectional traffic to and from the API Gateway endpoint.
Connect an on-premises network to a REST API, HTTP API, or WebSocket API
Use invoke to connect your on-premises network to API Gateway depending on the API type.
For REST APIs, see Invoking a REST API in Amazon API Gateway.
For HTTP APIs, see Publishing HTTP APIs for customers to invoke.
For WebSocket APIs, see Use wscat to connect to a WebSocket API and send messages to it.
Connect an on-premises network to a private REST API
Private REST APIs can be accessed from within an Amazon VPC using an interface VPC endpoint. Use the following access methods depending on your configuration.
- The security group for the interface endpoint must allow inbound traffic from your on-premises source CIDR range on TCP port 443.
- The private API resource policy must be updated to allow private API traffic from the source VPC or VPC endpoint.
AWS Direct Connect
You can use Direct Connect to connect your on-premises network to Amazon VPC and access your private API using pubic DNS names. For more information, see Accessing your private API using Direct Connect.
Amazon Route 53 alias
Follow the steps to associate an Amazon VPC endpoint with a private REST API.
API Gateway then generates a new Route 53 ALIAS DNS record. You can use this record to invoke your private API in the following URL format:
For more information, see Accessing your private API using a Route 53 alias.
Private DNS names
If you are using private DNS, you can access your private API from your on-premises network using the private DNS names. You must set up a Route 53 Resolver inbound endpoint, and then forward to it all DNS queries of the private DNS from your on-premises network. For more information, see Invoking your private API using private DNS names.
Public DNS names
You can access your private API from your on-premises network using endpoint-specific DNS hostnames. The public DNS hostnames contain the VPC endpoint ID or API ID for your private API in the following URL format:
For more information, see Invoking your private API using endpoint-specific public DNS hostnames.