AWS Certified Solutions Architect – Professional — Question 746

A company is using Amazon API Gateway to deploy a private REST API that will provide access to sensitive data. The API must be accessible only from an application that is deployed in a VPC. The company deploys the API successfully. However, the API is not accessible from an Amazon EC2 instance that is deployed in the VPC.

Which solution will provide connectivity between the EC2 instance and the API?

Answer options

• A. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows apigateway:* actions. Disable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC. Use the VPC endpoint's DNS name to access the API.
• B. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows the execute-api:lnvoke action. Enable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint's DNS names to access the API.
• C. Create a Network Load Balancer (NLB) and a VPC link. Configure private integration between API Gateway and the NLB. Use the API endpoint's DNS names to access the API.
• D. Create an Application Load Balancer (ALB) and a VPC Link. Configure private integration between API Gateway and the ALB. Use the ALB endpoint's DNS name to access the API.

Correct answer: B

Explanation

To connect to a private API Gateway REST API from inside a VPC, you need to create an interface VPC endpoint and configure its policy to allow the execute-api:Invoke action. Enabling private DNS naming allows clients within the VPC to use the default public DNS names of the API Gateway, which resolve directly to the private IP addresses of the VPC endpoint. Additionally, configuring the API's resource policy to allow traffic from the VPC endpoint secures and completes the private network route.