Best Practices for Designing Amazon API Gateway Private APIs and Private Integration

Publication date: August 26, 2022 (Document revisions)

Abstract

For many enterprise customers, AWS Direct Connect or a virtual private network (VPN) is often used to build a network connection between an on-premises network and an Amazon Web Services (AWS) virtual private cloud (VPC). This can add additional complexity to a network design, and introduces challenges to Amazon API Gateway private API and private integration setup. This whitepaper introduces best practices for deploying private APIs and private integrations in API Gateway, and discusses security, usability, and architecture.

It is aimed at developers who use API Gateway, or are considering using it in the future.

Are you Well-Architected?

The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.

For more expert guidance and best practices for your cloud architecture—reference architecture deployments, diagrams, and whitepapers—refer to the AWS Architecture Center.

Introduction

API Gateway private integration makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC, for access by clients outside of the VPC. Additionally, private integration can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB) through a private link. For HTTP APIs, Application Load Balancer (ALB) and AWS Cloud Map are also supported. Private integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.

Based on security requirements, different security measures can be placed at different security layers. To secure VPC resources such as Elastic Network Interface (ENI), associate resources are associated with a security group. VPC endpoints are associated with both the security group and the resource policy. For NLB, Transport Secure Layer (TLS) listeners are used to secure a listener. For ALB, security groups and HTTPS listeners are used.

Compared to regional and edge-optimized API implementations, private API implementation and private integrations add additional components, such as interface VPC endpoints and load balancers. This can lead to additional complexity in application architectures.

This whitepaper includes sample architectures to help understand private APIs, along with private integration implementation and best practices. It also covers security and cost optimizations.