Private REST APIs in API Gateway - Amazon API Gateway
Best practices for private APIsConsiderations for private APIsNext steps for private APIs

Private REST APIs in API Gateway

A private API is a REST API that is only callable from within an Amazon VPC. You can access your API using an interface VPC endpoint, which is an endpoint network interface that you create in your VPC. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access AWS services by using private IP addresses.

You can also use AWS Direct Connect to establish a connection from an on-premises network to Amazon VPC and then access your private API over that connection. In all cases, traffic to your private API uses secure connections and is isolated from the public internet. Traffic doesn't leave the Amazon network.

Best practices for private APIs

We recommend that you use the following best practices when you create your private API.

  • Use a single VPC endpoint to access multiple private APIs. This reduces the number of VPC endpoints that you might need.

  • Associate your VPC endpoint to your API. This creates a RouteĀ 53 alias DNS record and simplifies invoking your private API.

  • Turn on private DNS for your VPC. This way you can invoke your API within a VPC without having to pass the Host or x-apigw-api-id header. If you choose not to enable private DNS, you're only able to access your API via public DNS.

  • Restrict access to your private API to specific VPCs or VPC endpoints. Add aws:SourceVpc or aws:SourceVpce conditions to your API's resource policy to restrict access.

  • For the most secure data perimeter, you can create a VPC endpoint policy. This controls access to the VPC endpoints that can invoke your private API.

Considerations for private APIs

The following considerations might impact your use of private APIs.

  • Only REST APIs are supported.

  • Custom domain names aren't supported for private APIs.

  • You cannot convert a private API to an edge-optimized API.

  • Private APIs only support TLS 1.2. Earlier TLS versions are not supported.

  • VPC endpoints for private APIs are subject to the same limitations as other interface VPC endpoints. For more information, see Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide. For more information about using API Gateway with shared VPCs and shared subnets, see Shared subnets in the AWS PrivateLink Guide.

Next steps for private APIs

To learn how to create a private API and associate a VPC endpoint see, Create a private API. To follow a tutorial where you create dependencies in AWS CloudFormation and a private API in the AWS Management Console, see Tutorial: Create a private REST API.