Exposing private APIs through VPC Endpoints means you can securely access services running within your Virtual Private Cloud (VPC) from other VPCs or even on-premises networks without traversing the public internet.
Here’s a practical example: imagine you have a fleet of EC2 instances in a private subnet that need to interact with a private API hosted on another EC2 instance in the same VPC. Instead of opening up security groups and potentially exposing that API to the internet, you can use a VPC Endpoint.
Let’s say your private API is running on 10.0.1.50 on port 8080. You’d typically access it using its private IP.
# From an EC2 instance in the same VPC, private subnet
curl http://10.0.1.50:8080/status
Now, consider a scenario where you want to access this API from a different VPC. Without VPC Endpoints, you’d need VPC peering or Transit Gateway, and potentially NAT Gateways if the source VPC is also private, all of which involve more complex routing and potentially public IP exposure.
With a VPC Endpoint, you can achieve this securely and privately.
How it Works: The Magic of Interface Endpoints
The core mechanism here is the Interface Endpoint. When you create an Interface Endpoint for a service (like API Gateway, or even a custom service running on EC2), AWS provisions Elastic Network Interfaces (ENIs) within your chosen subnets. These ENIs are assigned private IP addresses from your VPC’s CIDR block.
The service you’re targeting (e.g., API Gateway) then associates a DNS name with these ENIs. When you resolve that DNS name from within your VPC, it will resolve to these private IPs. This means traffic destined for the service never leaves your VPC’s network fabric and doesn’t hit the public internet.
Setting Up a VPC Endpoint for a Private API
Let’s assume your private API is exposed via API Gateway as a private API.
-
Create a Private API in API Gateway:
- Go to the API Gateway console.
- Click "Create API".
- Choose "REST API" or "HTTP API" and select "Private".
- Configure your API as usual, ensuring the integration points to your private resources (e.g., an EC2 instance, Lambda function).
- Crucially, note the API Gateway Endpoint URL for your private API. It will look something like
abcdef1234.execute-api.us-east-1.amazonaws.com.
-
Create a VPC Endpoint:
-
Go to the VPC console.
-
Navigate to "Endpoints".
-
Click "Create Endpoint".
-
Service category: "AWS services".
-
Service name: Search for
com.amazonaws.us-east-1.execute-api(replaceus-east-1with your region). You’ll see a service for API Gateway. -
VPC: Select the VPC where your clients (the ones needing to access the API) reside.
-
Subnets: Select the subnets within your VPC where you want the ENIs for the endpoint to be created. These should be subnets that your clients can reach.
-
Security group: Create or select a security group that allows inbound traffic on port 443 (for HTTPS) from your client instances.
-
Policy: This is critical. You’ll define an endpoint policy that grants or denies access to specific API Gateway resources. For example, to allow all access to your private API:
{ "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:us-east-1:ACCOUNT_ID:abcdef1234/*" } ] }Replace
ACCOUNT_IDandabcdef1234with your actual account ID and API ID. -
Click "Create Endpoint".
-
-
Configure DNS:
- By default, the VPC Endpoint will have a DNS name associated with it, like
vpce-0123456789abcdef0-xyz.execute-api.us-east-1.vpce.amazonaws.com. - To use the original API Gateway DNS name (
abcdef1234.execute-api.us-east-1.amazonaws.com), you need to enable Private DNS for the endpoint. This automatically creates Route 53 private hosted zones and records that map the service DNS name to the endpoint ENI IPs. Make sure your VPC’s DNS resolution is enabled.
- By default, the VPC Endpoint will have a DNS name associated with it, like
Accessing the Private API
Once the endpoint is created and Private DNS is enabled, your clients within that VPC can now access the private API using its original DNS name.
# From an EC2 instance in the VPC with the endpoint
curl https://abcdef1234.execute-api.us-east-1.amazonaws.com/prod/status
The DNS query for abcdef1234.execute-api.us-east-1.amazonaws.com will be resolved by Route 53 to the private IP addresses of the endpoint ENIs. The traffic will then be routed through the VPC fabric to the API Gateway service, which is accessible via the endpoint.
The Counterintuitive Part: DNS Resolution and Routing
What most people don’t realize is how seamlessly the DNS resolution and routing work with private DNS enabled. When you query abcdef1234.execute-api.us-east-1.amazonaws.com from within the VPC where the endpoint exists, Route 53 intercepts this query. It doesn’t go to public DNS servers. Instead, it returns the private IP addresses of the ENIs associated with your VPC Endpoint. Your operating system then uses these private IPs to establish a connection. The traffic, from its perspective, is going to a public-facing hostname, but at the network layer, it’s being directed to a private IP within your VPC, and the VPC Endpoint acts as the gateway for that traffic to reach the API Gateway service. This is why you don’t need to change your application code or how it refers to the API.
Beyond API Gateway: Custom Services
This pattern isn’t limited to AWS-managed services like API Gateway. You can also create VPC Endpoints for services running on EC2 instances or ECS/EKS clusters. For custom services, you’d typically use a Gateway Load Balancer Endpoint. This involves setting up a Gateway Load Balancer which then forwards traffic to your target application instances. The process is similar: create a Gateway Load Balancer, associate it with your service, and then create a Gateway Load Balancer Endpoint in the consuming VPC.
The next hurdle you’ll likely encounter is managing access control for multiple services or different environments, often involving more intricate VPC Endpoint policies and security group configurations.