Question #1379
A company uses Amazon API Gateway to host a private REST API within a VPC. The API invokes an AWS Lambda function to process transaction data. The company's VPC flow logs show that the API Gateway communicates with Lambda over the internet instead of through the VPC. A solutions architect must ensure the communication remains within the VPC with minimal code changes. Which solution meets these requirements?
Add an X-API-Key header in the HTTP request for authentication.
Use an interface endpoint for AWS Lambda.
Configure a gateway endpoint for AWS Lambda.
Introduce an Amazon SNS topic between the API Gateway and Lambda.
Explanation
Answer B is correct because:
1. Interface Endpoints: AWS Lambda uses interface endpoints (powered by AWS PrivateLink) to enable private communication within a VPC. By creating an interface endpoint for Lambda, API Gateway can invoke the Lambda function through the VPC's private network, eliminating internet traffic.
2. Why Other Options Fail:
- A: Adding an X-API-Key header handles authentication but doesn't affect network routing.
- C: Gateway endpoints are only supported for Amazon S3 and DynamoDB, not Lambda.
- D: Introducing SNS would require significant architectural changes and code modifications, conflicting with the 'minimal code changes' requirement.
3. Key Points:
- API Gateway private APIs require VPC endpoints for AWS service integrations.
- Lambda uses interface endpoints (not gateway endpoints) for VPC-private connectivity.
- Interface endpoints ensure traffic remains within the AWS network, improving security and compliance.
Answer
The correct answer is: B