5

Using AWS Direct Connect, we've built a network between our on-premise and our AWS VPC. We've developed a web application that users will access from within the on-prem network. We're using the HTTP API Gateway, which uses a VPC Link to connect to the private ALB. We've used a Custom Domain Name with the HTTP API Gateway and disabled the default endpoint. The domain name is registered in a private hosted zone on Route 53.

We want to keep all the traffic between the clients and the API Gateway within our private network. However, we can see that the requests going to the HTTP API Gateway leave our network because the custom domain name for the API Gateway resolves to a public IP address.

Is there a way to assign a private IP address to the HTTP API Gateway? Or any other way to keep the traffic within our network?

One option is to switch to the REST API Gateway and make its endpoint type Private. However, the HTTP API Gateway suits our needs much better with its simplicity. It also has the option for connectivity to an ALB using VPC Link, which the REST Gateway lacks.

Aditya Kar
  • 515
  • 5
  • 12
  • How did it go? Is it still unclear what you can do? – Marcin Mar 19 '22 at 11:00
  • Thanks, @Marcin! I'm doing a POC for migrating to a Private REST API Gateway from our existing HTTP API Gateway. Everything is more cumbersome with the REST API Gateway, be it the lack of auto-deployment, the complex resource and method definitions, the lack of support for simple response format from Lambda authorizer, and the lack of support for VPC link to ALB. To connect to our private ALB, I've put an NLB in front of it. NLBs don't support security groups, so I'm trying to find another way to ensure that the NLB only accepts traffic from the API Gateway. – Aditya Kar Mar 21 '22 at 08:33

2 Answers2

6

Sadly no, the HTTP APIs do not support Private APIs. Whatever solution you will use, HTTP API endpoint must be public.

You have to use REST API, or create your own fully custom solution if REST API is out of question.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • I'm surprised why AWS didn't add support for private endpoints for HTTP API Gateway even though the HTTP API Gateway has been around for over three years now. – Aditya Kar Mar 21 '22 at 08:35
-2

I want to provide an update to this topic.

AWS updated its product and private endpoints are available right now. AWS - Private API endpoint There are also a couple of examples out there also for CDK, Cloudformation or management console.

I hope this helps

user3347451
  • 39
  • 1
  • 6
  • 1
    I'm looking at the latest AWS docs, and I don't see HTTP API Gateway supporting Private API endpoints. See the comparison between REST API Gateway and HTTP API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html – Aditya Kar Oct 31 '22 at 14:14