What should a solutions architect do to meet these requirements?
Create an AWS Site-to-Site VPN connection between the VPC and the API Gateway. Use API Gateway to generate a unique API Key for each microservice. Configure the API methods to require the key.
Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private.
Modify the API Gateway to use IAM authentication. Update the IAM policy for the IAM role that is assigned to the EC2 instances to allow access to the API Gateway. Move the API Gateway into a new VPDeploy a transit gateway and connect the VPCs.
Create an accelerator in AWS Global Accelerator, and connect the accelerator to the API Gateway. Update the route table for all VPC subnets with a route to the created Global Accelerator endpoint IP address. Add an API key for each service to use for authentication.
Explanations:
Creating a Site-to-Site VPN connection is not necessary for this scenario as it would still expose the API to the public internet unless additional measures are taken. API Keys do not provide adequate security on their own for restricting access to the API.
Creating an interface VPC endpoint for API Gateway allows the microservices running on EC2 instances in the VPC to communicate with the API privately. The endpoint policy can restrict access to the specific API, and the resource policy can ensure that only the VPC endpoint can invoke the API. Changing the endpoint type to private ensures that the API is not accessible from the public internet.
While IAM authentication can enhance security, moving API Gateway into a new VPC and deploying a transit gateway complicates the architecture unnecessarily and may not be needed to secure the API access. This does not address the requirement to prevent public internet access directly.
AWS Global Accelerator is designed to improve the availability and performance of applications, not to restrict access. Connecting it to API Gateway does not ensure that the API remains private, and using API keys does not guarantee the required security or prevent access from the public internet.
If memory serves me right, the answer is:
Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private.
I chart that the answer is:
Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private.