AWS API Gateway to internal Web Service (an API that's not publicly available)

Question

I've set up an Amazon API Gateway instance with a mock back-end and have it working perfectly.

I've also set up a RESTful API and deployed to AMAZON EC2. I can access it publically with Postman.

What I would like to do now is proxy all calls through the API gateway. Then block public access to the EC2 instance.

The problem is that I'm really struggling to find clear documentation on how this is done - which makes me think I might be doing things incorrectly, architecturally speaking.

My EC2 instance gives me a public DNS address, and a private one. I've tried setting the API gateway to point to the private address over HTTP, but the URL doesn't validate in the AWS Gateway - and wont save.

If someone could explain to me in plain English how this is supposed to work at a high level, and perhaps point to documentation, that would be absolute gold.

Answer 1

This is what API Gateway calls a private integration.

API Gateway is not, itself, inside your VPC, so the solution uses a Network Load Balancer and VPC PrivateLink to allow API Gateway to access your private resources.

Documentation and setup can be found here:

https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html

Don't confuse private integrations with private endpoints which allow the opposite -- with private endpoints, resources in your VPC are able to access an API deployed in API Gateway, without exposing the API Gateway endpoint itself to the Internet.