How can I invoke an API Gateway private API using an Application or Network Load balancer?

5 minute read

I want to set up my Amazon API Gateway private API as a target behind a load balancer. Then, I want to use an AWS account to access my private API from an Application or Network Load Balancer.

Short description

To access your private API using AWS Direct Connect or Amazon Route 53, see How to invoke a private API. You can also access an API Gateway private REST API in another AWS account using an interface VPC endpoint.

The following resolution uses an Amazon Virtual Private Cloud (Amazon VPC) endpoint elastic network interface IP address. With this IP address, you can add your private API as a target to the load balancer.

Important: API Gateway doesn't support custom domain names for private APIs. As a workaround, you can invoke and attach the domain to a load balancer. Then, use the following setup to invoke the private API.

Resolution

Create an Amazon VPC endpoint

1. Open the Amazon VPC console.

2. Choose Endpoints, and then choose Create endpoint.
Note: If you have any Amazon VPC endpoints already set up in your VPC with the API execute-api, then turn off private DNS.

3. For Services, choose com.amazonaws.com.your-region.execute-api.

4. For VPC, select your Amazon VPC.

5. For Subnets, select two subnets in different Availability Zones (AZ IDs), and then choose Create endpoint.

6. Select your endpoint, choose subnets, and then copy the IP address.

For more information, see Create an interface VPC endpoint for API Gateway execute-api.

Create a private REST API and grant the Amazon VPC endpoint permission

1. Open the API Gateway console, and then choose Create API.

2. For REST API, choose Build.

3. In Settings, enter the following information:
For API name, enter a name for the API.
For Endpoint Type, choose Private.
For Endpoint IDs, enter the endpoint ID that you created.

4. Choose Create API.

5. In the navigation pane, choose Resource Policy.

6. In the resource policy editor, paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/*/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpce": "vpce-081234d1ad408e"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/*/*"
    }
  ]
}

Note: Replace vpce-081234d1ad408e with your VPC endpoint ID. Replace arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID with the ARN of your API.

7. Choose Save.

For more information, see Create a private API using the API Gateway console.

2. In the navigation pane, in Load Balancing, choose Load Balancers, and then choose Target Groups.

3. Choose Create target group.

4. For target type, choose IP addresses.

5. For Target group name, enter a name.

Application Load Balancer

For Protocol, choose HTTPS.
For Port, choose 443.
For VPC, select your VPC.
For Health check path, enter 200,403 so that the VPC endpoint shows as Healthy in the target group.

Network Load Balancer

For Protocol, choose TLS.
For Port, choose 443.
For VPC, select your VPC.

6. Choose Next.

7. In Specify IPs, enter the IP address that you copied in the Create an interface Amazon VPC endpoint section, and then choose Add IPv4 address.

8. Choose Create target group.

Configure the load balancer

1. Open the EC2 console.

2. In the navigation pane, choose Load Balancers, and then choose Create Load Balancer.

Application Load Balancer

For Scheme, choose either Internet-facing or Internal depending on your configuration.
For Protocol, choose HTTPS.
For VPC and subnets, select your VPC and subnets.

Network Load Balancer

For Scheme, choose either Internet-facing or Internal depending on your configuration.
For Protocol, choose TLS.
For VPC and subnets, select your VPC and subnets.
For Security policy, select the default policy ELBSecurityPolicy-TLS (recommended).
For Default SSL/TLS certificate, choose From ACM.
Choose the Select a certificate dropdown menu, and then select your certificate.

3. Choose Create load balancer.

Note: The load balancer targets are in the IP addresses of the elastic network interface that the VPC endpoint created. To find those elastic network interfaces, select your VPC endpoint, and then open the Subnets tab.

Create a record in an Amazon Route 53 public or private hosted zone

Either create a public hosted zone, or create a private hosted zone.

Then, create a CNAME record and associate it with your Application or Network Load Balancer.

Testing

For public load balancers, you can make a curl request from your local machine.

For private load balancers, launch a new EC2 instance in one of the subnets for your load balancer. Then, make a curl request similar to the following request:

curl -v https://{custom-domain-name}/<stage-name>/<resource-path> -H 'Host: <api-id>.execute-api.<region>.amazonaws.com'

-or-

curl -v https://{custom-domain-name}/<stage-name>/<resource-path> -H 'x-apigw-api-id:{api-id}'

A successful request returns a 200 OK response code. An unsuccessful request returns a 403 Forbidden response code or a DNS resolution error. If you encounter any issues, then see Troubleshoot your load balancers.