Deny response from API Gateway when IP address is not whitelisted

Question

Context

I'm using a resource policy to whitelist IP addresses which can call my APIs managed using API Gateway.

My resource policy looks like this

When I try to call the API from a IP address thats not in the whitelist, I get an API response like this -

{
    "Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-sou*******-*:************:*****/*****/**/******"
}

Problem

I would prefer to not show an error message at all when the IP address is not in the whitelist.

Expected Outcome

How can I change the response to only display error messages to IP addresses that are whitelisted? For IP addresses that are not in the whitelist, there should be no response. Similar to what EC2 instances do when the IP address is not whitelisted and the operation times out.

EDIT: There is another question with a similar problem - AWS API Gateway change access denied response message from resource policy

But my problem is different because I don't just want to change the response sent, but I would like to stop API Gateway from sending a response if the IP address is not whitelisted.

Answer 1

As folks in the comments have suggestion, you could consider using Gateway Response to simplify the response to essentially nothing by having it return something like {}.

Another approach to consider if you want similar responses from EC2 instances would be to not use API Gateway and use an Application Load Balancer to act as your proxy. I am not sure what type of integration you are using with API Gateway but ALBs allow you to route traffic to Lambdas, route traffic to EC2 instances or forward/redirect traffic to other HTTP endpoints so this solution would work for those types of integrations. You can then setup the security groups on the ALB to only allow traffic from white listed subnets and any other users that attempt to make requests will simply hang.