Is it possible to restrict the AppSync API endpoint to in network only?

Question

I'm currently building an AppSync API and will be implementing Cognito Pools for authorization. I noticed that there is an endpoint created upon building an AppSync API. It looks like with API Gateway, you can restrict public access to the endpoint using a VPC. Is there something similar that is available with AppSync so that the endpoint exposed is not accessible to the public?

https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/

One thought is to attach the AppSync url to a custom domain that is not public. Is that feasible?

Answer 1

With Cognito User Pools, if you turn on Advanced Security Features, you can restrict authentication to specific network address ranges so basically you can restrict your users to authenticating only from specific network locations. With AWS AppSync, it is not possible currently to restrict access to specific IP addresses but it is a feature we are considering.

For having custom domains with AppSync you can have a look at the following blog post:

https://aws.amazon.com/blogs/mobile/use-a-custom-domain-with-aws-appsync-amazon-cloudfront-and-amazon-route-53/