Which solution will meet these requirements?
Set up VPC peering between vpc-1 and vpc-2. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
Set up a VPC endpoint of vpc-2 in vpc-1. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
Set the API endpoint type to REGIONAL. Attach a resource policy to the REST API to allow access from vpc-2.
Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.
Explanations:
VPC peering is not necessary for accessing a PRIVATE API. Also, identity-based policies do not grant access to the API itself; a resource policy is needed for API access control.
A VPC endpoint for the API in vpc-1 is not required to allow access from vpc-2. The issue lies in the API’s resource policy, not in creating an endpoint in vpc-1.
Changing the endpoint type to REGIONAL is unnecessary and would remove the private accessibility requirement. The problem lies in the API’s resource policy, not the endpoint type.
Keeping the endpoint type as PRIVATE and attaching a resource policy to the REST API to allow access from vpc-2 is the correct solution. The resource policy controls access from specific VPCs.
I figure that the answer is:
Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.