Question #671
A company has developed APIs using Amazon API Gateway with Edge-optimized endpoints. These APIs trigger AWS Lambda functions secured with API Gateway's authentication. During a security audit, it was found that certain APIs should not be publicly accessible. The solutions architect needs to ensure these APIs are only reachable from within the company's VPC, while still requiring authenticated access. Which solution meets these requirements with minimal effort?
Implement an internal Network Load Balancer (NLB) linked to a target group pointing to the Lambda functions. Use the NLB's DNS name for API calls from the VPC.
Delete the current API's public DNS record. Create a private hosted zone in Route 53 with a new CNAME record pointing to the API. Update the API Gateway configuration to use this CNAME. Access the API via the new DNS record from the VPC.
Change the API endpoint type to private in API Gateway. Establish an interface VPC endpoint in the VPC. Apply a resource policy to the API restricting access to the VPC endpoint. Use the VPC endpoint to invoke the API from within the VPC.
Migrate the Lambda functions to run within the VPC. Set up an EC2 instance with Nginx as a reverse proxy. Configure the Nginx server to forward requests to the Lambda functions. Use the EC2 instance's private DNS to access the API internally.
Explanation
Answer C is correct because:
1. Private API Endpoint: Changing the API Gateway endpoint type to 'private' restricts access to the API exclusively through the VPC.
2. VPC Interface Endpoint: Establishing an interface VPC endpoint enables secure, private connectivity between the VPC and API Gateway via AWS PrivateLink.
3. Resource Policy: Applying a resource policy to the API restricts access to the VPC endpoint, ensuring only traffic from the VPC is allowed.
4. Authentication: API Gateway's existing authentication mechanisms (e.g., IAM, Cognito) remain intact, meeting the requirement for authenticated access.
Other options are incorrect because:
- A: Using an NLB bypasses API Gateway's authentication and requires rearchitecting the Lambda integration.
- B: Deleting DNS records does not block public API access; the original API endpoint remains publicly resolvable.
- D: Migrating Lambda to a VPC and adding a reverse proxy introduces unnecessary complexity and maintenance overhead.
Key Points: Use API Gateway private endpoints with VPC interface endpoints and resource policies to restrict access to a VPC while preserving authentication.
Answer
The correct answer is: C