Amazon API Gateway Endpoint Types - Overview.
Focus:
- Intro,
- API Gateway Endpoint
Types,
- Edge-Optimized Endpoints,
- Regional Endpoints,
- Private Endpoints,
- Choosing the Right
Endpoint Type,
- Sample Architectures,
- Automation &
Deployment,
- Best Practices.
Intro:
Amazon API Gateway offers three types of endpoints for REST APIs that determine how clients access the API and how traffic is routed:
- Edge-optimized API endpoints: Designed for geographically distributed clients, these endpoints route requests to the nearest Amazon CloudFront edge location.
- This is the default type for REST APIs created in the API Gateway console.
- Regional API endpoints: Intended for clients within the same AWS Region as the API.
- These endpoints do not use a managed CloudFront distribution, which can reduce latency for same-region requests and allows twtech to manage its own CDN if needed.
- This is the default for HTTP and WebSocket APIs.
- Private API endpoints: Accessible only from an Amazon Virtual Private Cloud (VPC) using interface VPC endpoints.
- Traffic to these APIs does not travel over the public internet.
API Gateway Endpoint
Types
Amazon API Gateway supports three main endpoint types for its REST and HTTP
APIs:
|
Endpoint
Type |
Description |
Network
Access |
Common
Use Case |
|
Edge-Optimized |
API endpoints deployed globally via
Amazon CloudFront. |
Public Internet (global edge network) |
Public APIs serving clients globally
(mobile/web apps) |
|
Regional |
API endpoints deployed in a specific
AWS Region. |
Public Internet (regional endpoint) |
Regional apps, hybrid architectures,
or low-latency regional APIs |
|
Private |
API endpoints accessible only
within a VPC via an Interface VPC Endpoint (PrivateLink). |
Private network only (VPC) |
Internal APIs, microservices, or
regulatory isolation requirements |
1. Edge-Optimized Endpoints
Architecture:
- When twtech creates an Edge-Optimized API
Gateway, AWS automatically provisions a CloudFront distribution.
- All client requests are routed to the nearest CloudFront edge location, which forwards them to the regional API Gateway endpoint.
- TLS termination occurs at the edge; connections to the API Gateway use optimized AWS backbone network paths.
Ideal for:
- Global clients (mobile/web apps)
- Lower latency for geographically dispersed users
- Simplified global delivery
Integration
Considerations:
- Uses ACM certificates from the us-east-1 Region (since CloudFront distributions are
global).
- Cannot use custom CloudFront distributions.
- twtech rely on the managed one.
- Logging & WAF integration are available at CloudFront and API Gateway layers.
Security/Compliance:
- Public internet exposure.
- twtech can secure it using Cognito, IAM, or Lambda authorizers.
2. Regional Endpoints
Architecture:
- Deployed and served directly from one AWS
Region (no CloudFront by default).
- Clients connect directly to that Region’s public endpoint.
Ideal for:
- Latency-sensitive workloads within a
region.
- Applications that already use their own CloudFront distribution, WAF, or custom domain routing.
- Hybrid architectures (e.g., direct regional access from on-prem or AWS Direct Connect).
Integration
Considerations:
- Can use ACM certificates in the same
region for custom domains.
- Supports private integrations via VPC links to NLBs or internal services.
- twtech can attach its own CloudFront distribution for global caching/control.
Security/Compliance:
- Public access, but twtech can restrict access using:
- AWS WAF
- Resource policies (e.g., IP-based or VPC endpoint-based restrictions)
- Authorizers and IAM
3. Private Endpoints
Architecture:
- API
Gateway is deployed inside twtech VPC using PrivateLink (VPC
Endpoint Type: Interface).
- APIs are reachable only within the VPC (and optionally via VPC peering, Transit Gateway, or AWS PrivateLink connections across accounts).
Ideal for:
- Internal microservices architecture.
- Private APIs accessed only by internal applications, ECS/EKS workloads, or Lambda functions in the same or peered VPC.
- Regulated environments (e.g., PCI, FedRAMP) where public access is restricted.
Integration
Considerations:
- Accessible only via VPC endpoint DNS
names or private hosted zones.
- Can integrate directly with:
- Private ALBs/NLBs
- Private Lambda functions
- AWS services via VPC links
- Not accessible over the public Internet.
Security/Compliance:
- Strong isolation and data path control.
- Integrates with VPC security groups and NACLs.
- Can use AWS Private CA + ACM for internal TLS certificates.
Choosing the Right
Endpoint Type
|
Scenario |
Best
Endpoint Type |
Reasoning |
|
Public-facing
API for mobile/web users |
Edge-Optimized |
Global performance via CloudFront |
|
Regional
or hybrid workloads |
Regional |
Lower latency to regional clients;
control over CDN/WAF |
|
Internal
microservices or VPC-only access |
Private |
No public exposure; controlled via
VPC Endpoint |
Sample
Architectures
Automation &
Deployment
- Using AWS CloudFormation / CDK / Terraform to define endpoint type:
Custom Domains:Type: AWS::ApiGateway::RestApi
Properties:
Name: twtechPrivateAPI
EndpointConfiguration:
Types:
- PRIVATE
- Configure ACM certificates per endpoint type:
- Edge: ACM in us-east-1
- Regional/Private: ACM in same Region as API Gateway
- Private APIs can be shared using Resource
Policies or PrivateLink endpoint services.
- Regional APIs can be exposed through Route
53 Private Hosted Zones + IAM-based authorization.
Best Practices
- Prefer Regional APIs + custom CloudFront for flexibility and WAF management.
- Use Private APIs for internal-only communication.
- Always enable access logging + CloudWatch metrics.
- Use AWS WAF + AWS Shield for public endpoints.
- Automate certificate and DNS management with ACM + Route 53.
- Implement least-privilege IAM roles and resource policies.
No comments:
Post a Comment