CloudFront in front of API Gateway (Private)

Question

I know I can put a REGIONAL endpoint type API Gateway behind a Cloudfront distribution, but is it possible to put a PRIVATE endpoint type API Gateway?

This way only calls from the Internet to Cloudfront would hit the API Gateway? I assume this can not be done because Cloudfront is public.

Answer 1

The purpose of private APIs is to allow access from a specific internal network (e.g., a VPC subnet, on-premise network).

So if you need to configure a CloudFront , then the requests from CloudFront should be routed to a public endpoint of the network (e.g., internet facing NLB) and then the NLB can point to the static IPs of the VPC endpoint which is associated with the resource policy of the private API.

I do not think above solution is suitable for production environments due to certain security issues and integration points can be broken if someone updated the VPC endpoint configuration. So I would say it's better not to configure a CloudFront in front a private API.

Could you explain a bit more on why you need to introduce a CloudFront distribution in front of a private API? I may be able to provide an alternative. For example you may consider introducing a WAF rule (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html) if you need to restrict access to an API from a specific domain (eg- a CloudFront distribution).