All APIs need to be called with an authenticated userWhich solution will meet these requirements with the LEAST amount of effort?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company has developed APIs that use Amazon API Gateway with Regional endpoints.The APIs call AWS Lambda functions that use API Gateway authentication mechanisms.After a design review, a solutions architect identifies a set of APIs that do not require public access.The solutions architect must design a solution to make the set of APIs accessible only from a VPC.

All APIs need to be called with an authenticated userWhich solution will meet these requirements with the LEAST amount of effort?

Create an internal Application Load Balancer (ALB). Create a target group. Select the Lambda function to call. Use the ALB DNS name to call the API from the VPC.

Remove the DNS entry that is associated with the API in API Gateway. Create a hosted zone in Amazon Route 53. Create a CNAME record in the hosted zone. Update the API in API Gateway with the CNAME record. Use the CNAME record to call the API from the VPC.

Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPCreate a resource policy, and attach it to the API. Use the VPC endpoint to call the API from the VPC.

Deploy the Lambda functions inside the VPC Provision an EC2 instance, and install an Apache server. From the Apache server, call the Lambda functions. Use the internal CNAME record of the EC2 instance to call the API from the VPC.

Explanations:

An internal ALB cannot be used with Lambda functions directly. API Gateway is designed to interface with Lambda functions, not an ALB. Additionally, setting up an ALB with Lambda as a target requires more complex configuration, making it more effort-intensive than other solutions.

Removing the DNS entry and creating a CNAME in Route 53 does not address the requirement of limiting access to the VPC. The API would still be publicly accessible over the internet, and using CNAME doesn’t prevent external access.

Changing the API endpoint to private in API Gateway and using an interface VPC endpoint ensures that the API is only accessible within the VPC, providing a secure and efficient solution with the least effort. The resource policy further restricts access to the VPC endpoint.

Deploying Lambda functions inside a VPC and setting up an EC2 instance with Apache introduces unnecessary complexity. It requires managing an EC2 instance and setting up Apache, which adds overhead and doesn’t directly address the need for private API access in a simple manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

16 + 5 =