When working on internal networks, particularly within a VPC, developers often encounter the need to interact with a private API gateway. A common scenario is when a network resource, which must make non-internet HTTPS calls without involving the AWS API, requires access to a specific lambda function. While using the API gateway assigned hostname is an option, opting for a private DNS name can provide a more consistent approach across environments.
According to the AWS Documentation: "Custom domain names are not supported for private APIs."
However, there is a simple hack to get this to work.
TL;DR; Architecture
Full Solution
- On the VPC, create a "execute-api" VPC endpoint for API Gateway
- On API Gateway, create a private REST API and all necessary/ resource methods. Create a resource policy that only allow access through the VPC Endpoint
- On the VPC Endpoints, explore the Subnets section of the VPC endpoint created in step 1 and grab the IPs
- Create a TLS target group using the IPs from step 3.
- Create a TLS internal NLB, using the target group from step 4.
- Create a custom domain name in API Gateway (Regional type) but point it to the private API gateway.
- On Route53, configure a private zone attached to the same VPC with a CNAME record that points to the NLB DNS address.
Once this is done, it should work. I have done this many times in different projects but keep forgetting about it, so I figured it was a good time to document it to be useful for someone else.