This blog post provides both an overview of private connectivity for API Connect on AWS SaaS and instructions on using it to connect API Connect instances on AWS to customer VPCs.
Available in API Connect advanced plans, we use AWS PrivateLink to facilitate creation of both inbound and outbound connections. Inbound connections connect a customer VPC interface endpoint to a dedicated VPC endpoint service and router in the API Connect account. Outbound connections connect a VPC interface endpoint in the API Connect account to an endpoint service in the customer account.
Both inbound and outbound configuration options can be found in the Catalog settings tab of a catalog.
Note that, once configured, private connections will be available for all catalogs in an instance.
Configuring inbound connections
Follow these steps to configure an inbound private connection for an instance:
1. Specify a service consumer ARN
The entity creating the VPC endpoint in the customer account must be pre-approved to access the VPC endpoint service in the API Connect account.
This can be a service role, user role, or even the root ARN for the customer account. See the AWS documentation for more details.
We next provision the backend infrastructure, including the VPC endpoint service with the pre-approval that allows the service to be visible to the service consumer.
Once the backend infrastructure deployment is complete, the service name of the VPC endpoint service and the private DNS name for the API gateway can be used to complete the private connection.
In AWS, create a VPC endpoint as instructed in the API Connect UI, using the service name provided above.
Create a private hosted zone in AWS Route53 for the domain of the private DNS name shown in the API Connect UI.
Create an alias A record in the private hosted zone pointing to the VPC endpoint DNS name shown in the AWS UI.
With these steps completed, the private DNS name shown in the API Connect UI can be used in place of the public DNS name for the API gateway to access an API Connect API privately.
Once created, make note of the Service name of the endpoint service in the AWS UI.
Specify the Service name of the endpoint service in the API Connect UI.
Copy the AWS principal ARN from the API Connect UI.
Navigate to the Allow principals tab of the VPC endpoint service in AWS.
Specify the copied ARN in the Allow principals dialog.
Click Next in the API Connect UI.
Wait for a Pending connection to appear in the Endpoint connections tab of the VPC endpoint service. Accept the connection request.
Wait for the connection state to update to Available.
Click Next in the API Connect UI.
Copy the VPC endpoint private DNS name in the API Connect UI.
Use this DNS name in your API Connect API to connect to your application behind your VPC endpoint service.