Sunday, October 26, 2025

Amazon API Gateway Endpoint Types | Overview.

Here is twtech Overview of Amazon API Gateway Endpoint Types.

Focus:

  •        API Gateway Endpoint Types,
  •        Edge-Optimized Endpoints,
  •        Regional Endpoints,
  •        Private Endpoints,
  •        Choosing the Right Endpoint Type,
  •        Sample Architectures,
  •        Automation & Deployment,
  •        Best Practices.

 API Gateway Endpoint Types

Amazon API Gateway supports three main endpoint types for its REST and HTTP APIs:

Endpoint Type

Description

Network Access

Common Use Case

Edge-Optimized

API endpoints deployed globally via Amazon CloudFront.

Public Internet (global edge network)

Public APIs serving clients globally (mobile/web apps)

Regional

API endpoints deployed in a specific AWS Region.

Public Internet (regional endpoint)

Regional apps, hybrid architectures, or low-latency regional APIs

Private

API endpoints accessible only within a VPC via an Interface VPC Endpoint (PrivateLink).

Private network only (VPC)

Internal APIs, microservices, or regulatory isolation requirements

 1. Edge-Optimized Endpoints

Architecture:

  • When twtech creates an Edge-Optimized API Gateway, AWS automatically provisions a CloudFront distribution.
  • All client requests are routed to the nearest CloudFront edge location, which forwards them to the regional API Gateway endpoint.
  • TLS termination occurs at the edge; connections to the API Gateway use optimized AWS backbone network paths.

Ideal for:

  • Global clients (mobile/web apps)
  • Lower latency for geographically dispersed users
  • Simplified global delivery

Integration Considerations:

  • Uses ACM certificates from the us-east-1 Region (since CloudFront distributions are global).
  • Cannot use custom CloudFront distributions—you rely on the managed one.
  • Logging & WAF integration are available at CloudFront and API Gateway layers.

Security/Compliance:

  • Public internet exposure.
  • twtech can secure it using Cognito, IAM, or Lambda authorizers.

 2. Regional Endpoints

Architecture:

  • Deployed and served directly from one AWS Region (no CloudFront by default).
  • Clients connect directly to that Region’s public endpoint.

Ideal for:

  • Latency-sensitive workloads within a region.
  • Applications that already use their own CloudFront distribution, WAF, or custom domain routing.
  • Hybrid architectures (e.g., direct regional access from on-prem or AWS Direct Connect).

Integration Considerations:

  • Can use ACM certificates in the same region for custom domains.
  • Supports private integrations via VPC links to NLBs or internal services.
  • twtech can attach its own CloudFront distribution for global caching/control.

Security/Compliance:

  • Public access, but you can restrict access using:
    • AWS WAF
    • Resource policies (e.g., IP-based or VPC endpoint-based restrictions)
    • Authorizers and IAM

 3. Private Endpoints

Architecture:

  • API Gateway is deployed inside twtech VPC using PrivateLink (VPC Endpoint Type: Interface).
  • APIs are reachable only within the VPC (and optionally via VPC peering, Transit Gateway, or AWS PrivateLink connections across accounts).

Ideal for:

  • Internal microservices architecture.
  • Private APIs accessed only by internal applications, ECS/EKS workloads, or Lambda functions in the same or peered VPC.
  • Regulated environments (e.g., PCI, FedRAMP) where public access is restricted.

Integration Considerations:

  • Accessible only via VPC endpoint DNS names or private hosted zones.
  • Can integrate directly with:
    • Private ALBs/NLBs
    • Private Lambda functions
    • AWS services via VPC links
  • Not accessible over the public Internet.

Security/Compliance:

  • Strong isolation and data path control.
  • Integrates with VPC security groups and NACLs.
  • Can use AWS Private CA + ACM for internal TLS certificates.

 Choosing the Right Endpoint Type

Scenario

Best Endpoint Type

Reasoning

Public-facing API for mobile/web users

Edge-Optimized

Global performance via CloudFront

Regional or hybrid workloads

Regional

Lower latency to regional clients; control over CDN/WAF

Internal microservices or VPC-only access

Private

No public exposure; controlled via VPC Endpoint

Sample Architectures

 

 Automation & Deployment

  • Infrastructure as Code:
    Use AWS CloudFormation / CDK / Terraform to define endpoint type:

# yaml

Type: AWS::ApiGateway::RestApi

Properties:

  Name: twtechPrivateAPI

  EndpointConfiguration:

    Types:

      - PRIVATE

  • Custom Domains:
    Configure ACM certificates per endpoint type:
    • Edge: ACM in us-east-1
    • Regional/Private: ACM in same Region as API Gateway
  • Cross-Account Access:
    • Private APIs can be shared using Resource Policies or PrivateLink endpoint services.
    • Regional APIs can be exposed through Route 53 Private Hosted Zones + IAM-based authorization.

 Best Practices

  •        Prefer Regional APIs + custom CloudFront for flexibility and WAF management.
  •        Use Private APIs for internal-only communication.
  •        Always enable access logging + CloudWatch metrics.
  •        Use AWS WAF + AWS Shield for public endpoints.
  •        Automate certificate and DNS management with ACM + Route 53.
  •        Implement least-privilege IAM roles and resource policies.


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...