Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS API Gateway Private API Custom Domain Name

Tags:

amazon-web-services

aws-api-gateway

amazon-api-gateway

AWS Document says,

Custom domain names are not supported for private APIs.

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

What does this exactly mean? I am able to attach a custom domain name to the Private API.

However I am facing issues with SSL Certificates.

like image 206
karthikeayan Avatar asked Dec 18 '22 13:12

karthikeayan

1 Answers

API Gateway has 4 options:

  • HTTP API
  • WebSockets API
  • REST API
  • REST API Private

REST API Private is the same as REST APIs except it is only accessible from within a VPC. To access the REST API from within the VPC an interface VPC endpoint is required. If you do not use an interface VPC endpoint then you can access the REST API on API Gateway via NAT which goes via the internet gateway or just an internet gateway. In either case this would be a public REST API over the internet.

When using the VPC interface endpoint, AWS generates a custom domain name. This domain name is used within the VPC to locate the endpoint and redirect to the REST API. For this reason you cannot specify your own custom domain name at this time. You can specify a custom domain name for a public facing REST API.

Because you cannot specify your own custom domain name, you cannot use your own custom certificates.

Because the VPC interface endpoint is called API Gateway internally TLS 1.2 is used. This cannot be changed either.

If you want to use your own certificates, then you would need to define your own domain name, and use a public facing REST API defined in API Gateway.

Alternatively you could use a custom domain name internal to your VPC, generate a certificate for this domain name. Put the certificate on a proxy server like NGINX, use the proxy to front the interface endpoint. The interface endpoint uses an Elastic Network Interface (ENI) and therefor has a Security Group, and you can restrict traffic to originate from the proxy using the Security Group. In this case the certificate will reside on the proxy, and TLS will terminate on the proxy server. The proxy server will then access the REST API over a new connection.

like image 117
Jason Avatar answered Jan 04 '23 17:01

Jason
Sign in to Comment

Related questions

Adding timestamp automatically through AWS Appsync resolver with Dynamodb
Is storing aws cognito JWT key in frontend javascript insecure?
AWS S3 ListObjects in Node.js Lambda Function
How can we determine the current region with AWS Fargate
AWS Redshift : DISTKEY / SORTKEY columns should be compressed?
Unable to determine service/operation name to be authorized when using API Gateway to POST to SQS
AWS Lambda SQS integration: How to force concurrent lambdas
DynamoDB Can't Convert to System.DateTime
fatal error: 'AWSHTTPSConnection' object has no attribute 'server_hostname'
Cloudwatch Logs PutLogEvents action fails with com.amazon.coral.service#UnknownOperationException when called from API Gateway
AWS Cloudwatch Log Insights - Filter Records by JSON filters on JSON log events
AWS ELB Intermittent 502 gateway timeout error
How to copy files between S3 buckets in 2 different accounts using boto3
AWS .NET SDK configure S3 Client with ASP.NET Core Dependency Injection
Can I trigger an ECS/Fargate task from a specific file upload in S3?
How do I access the data from an AWS Kinesis Data Stream event?
Terraform: Passing variable from one module to another
Why I cannot show my image(.svg) that uploaded to S3
AWS CLI: Error parsing parameter '--item': Expected: '=', received: '"' for input:
Login form implemented with Amplify is not applied styling

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!