Private AWS API Gateways
In terms of communicating between AWS accounts, there are many methods available. Some include sharing of s3 files and/or sending messages utilizing eventbridge. One of the most powerful methods available is api gateway, however, as this enables RESTFul HTTP communication.
Using API gateway doesn’t necessarily mean exposing the api to the world. Indeed, for many B2B integrations, this is not desirable for security reasons. Luckily AWS has a mechanism for using “Private Endpoints” in api gateway. Communicating between accounts in this manner involves using the VPC, or the virtual private cloud, which is similar to an on prem network in the cloud.
To enable api-gateway from within a vpc, a vpc endpoint of type:
com.amazonaws.us-west-2.execute-api
This is the interface endpoint that needs to be connected to the api gateway that is created. In particular, note the vpc-endpoint id as that is the way AWS “ties” an api gateway instance to a VPC.
From the above diagram, the VPC endpoint ids of the execute-api endpoint type are referenced within the settings of the api gateway.
It should be noted that those VPC endpoints can be from VPCs in different accounts. This is one way you can access private apis across accounts, without publishing the api gateway to the world by having it be of a “regional” type.
It is also important to have a resource policy that allows access to the api, or you will get access denied errors when executing the gateway methods.
The route53 alias for the api across accounts looks like this:
https://{api-id}-{vpc-endpoint-id}.execute-api.{region}.amazonaws.com/{api-method}
Such as:
https://k3ji9by9y7-vpce-1793da57f5d7fb4b3.execute-api.us-west-2.amazonaws.com/api/
If you notice in these URLS, they have both the vpc endpoint id as well as the api gateway id in them. If the api gateway was set up using terraform, it may be desirable to run a destroy at some point and have it re-generated for whatever reason. This would involve updating all references to the URI, as the URL would change. This is what makes these URLS extremely brittle. Likewise for the VPC endpoint execute-api VPC endpoint.
It is on AWS’s roadmap to enable custom API URLS for private URLs but as of now it has not been implemented by AWS. In a future blog post I will demonstrate a method to get around the restriction of not allowing custom URLS to private API gateways.