Which solution will provide connectivity between the EC2 instance and the API?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is using Amazon API Gateway to deploy a private REST API that will provide access to sensitive data.The API must be accessible only from an application that is deployed in a VPC.The company deploys the API successfully.However, the API is not accessible from an Amazon EC2 instance that is deployed in the VPC.

Which solution will provide connectivity between the EC2 instance and the API?

Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows apigateway:* actions. Disable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC. Use the VPC endpoint’s DNS name to access the API.

Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows the execute-api:Invoke action. Enable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint’s DNS names to access the API.

Create a Network Load Balancer (NLB) and a VPC link. Configure private integration between API Gateway and the NLB. Use the API endpoint’s DNS names to access the API.

Create an Application Load Balancer (ALB) and a VPC Link. Configure private integration between API Gateway and the ALB. Use the ALB endpoint’s DNS name to access the API.

Explanations:

Although creating an interface VPC endpoint is necessary, disabling private DNS naming prevents the EC2 instance from resolving the VPC endpoint’s DNS name. Without private DNS enabled, the EC2 instance will not be able to access the API using the VPC endpoint’s DNS name. Additionally, attaching a policy that allowsapigateway:*actions is overly broad and not a best practice.

This option correctly outlines the process to access the private API. By creating an interface VPC endpoint with theexecute-api:Invokeaction in the endpoint policy and enabling private DNS naming, the EC2 instance can resolve the VPC endpoint’s DNS name. The API resource policy will also allow access from the VPC endpoint, ensuring secure connectivity.

While using a Network Load Balancer (NLB) with a VPC link can facilitate private integration, this approach adds unnecessary complexity. API Gateway has native support for VPC endpoints without needing an NLB. Therefore, this option is not the most efficient solution for enabling connectivity to the API.

Similar to option C, using an Application Load Balancer (ALB) with a VPC link is an unnecessarily complicated solution. API Gateway is designed to connect directly with VPC endpoints without needing a load balancer, making this option less suitable for establishing access to the private API.

2025-10-12

1 Comment

  1. Amanda
    Author

    In my opinion, the answer is:
    Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows the execute-api:Invoke action. Enable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint’s DNS names to access the API.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − 4 =