AWS API Gateway Private API Custom Domain Name

Question

AWS Document says,

Custom domain names are not supported for private APIs.

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

What does this exactly mean? I am able to attach a custom domain name to the Private API.

However I am facing issues with SSL Certificates.

Answer 1

API Gateway has 4 options:

• HTTP API
• WebSockets API
• REST API
• REST API Private

REST API Private is the same as REST APIs except it is only accessible from within a VPC. To access the REST API from within the VPC an interface VPC endpoint is required. If you do not use an interface VPC endpoint then you can access the REST API on API Gateway via NAT which goes via the internet gateway or just an internet gateway. In either case this would be a public REST API over the internet.

When using the VPC interface endpoint, AWS generates a custom domain name. This domain name is used within the VPC to locate the endpoint and redirect to the REST API. For this reason you cannot specify your own custom domain name at this time. You can specify a custom domain name for a public facing REST API.

Because you cannot specify your own custom domain name, you cannot use your own custom certificates.

Because the VPC interface endpoint is called API Gateway internally TLS 1.2 is used. This cannot be changed either.

If you want to use your own certificates, then you would need to define your own domain name, and use a public facing REST API defined in API Gateway.

Alternatively you could use a custom domain name internal to your VPC, generate a certificate for this domain name. Put the certificate on a proxy server like NGINX, use the proxy to front the interface endpoint. The interface endpoint uses an Elastic Network Interface (ENI) and therefor has a Security Group, and you can restrict traffic to originate from the proxy using the Security Group. In this case the certificate will reside on the proxy, and TLS will terminate on the proxy server. The proxy server will then access the REST API over a new connection.

Answer 2

One option of using custom domain for private endpoint is to put an (internal facing) application load balancer in front of the API gateway. When you add a listener to your ALB, you have the option to specify a certificate. Then you point to your ALB with your domain as an alias in Route53. To summarise:

1. Create target group that points to the ENI IP addresses of com.amazonaws.eu-west-1.execute-api
2. Create internal facing Application Load Balancer
3. Add the target group as a listener, specify Default SSL/TLS cert with your domain.
4. Point your domain to the ALB alias in Route53
5. Optionally, you could put a Network Load Balancer in front of your ALB if you need to give the ALB some on-prem address. In that case, you point your domain to the on-prem (private) address instead of the ALB alias. Create a new target group that points to your ALB and add it as a listener in NLB.