# AWS PrivateLink for API Gateway {% hint style="info" %} **Private preview**: This feature is available to select accounts. Contact your Immuta representative for details. {% endhint %} AWS PrivateLink provides private connectivity from the Immuta SaaS platform to API gateway endpoints hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks. This feature is supported in all regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

## Requirements * You have an Immuta SaaS tenant. * You have an [Amazon API gateway private API](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html). * Your private API must exist in [one of the regions in our global segments](https://documentation.immuta.com/SaaS/configuration/reference-guides/deployment-options#saas-global-segments). ## Configuring API gateway with AWS PrivateLink 1. [Update your API gateway resource policy](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-create.html#associate-private-api-with-vpc-endpoint) to allow for access from the Immuta VPC endpoint in the applicable AWS region. The Immuta VPC endpoint IDs are listed in the table below. | AWS region | VPC endpoint ID | | :-----------------------------------------------------------------------------: | :----------------------: | |

ap-northeast-1
Asia Pacific (Tokyo)

| `vpce-09b3a20743b64ecc9` | |

ap-south-1
Asia Pacific (Mumbai)

| `vpce-00620d5f59239fa03` | |

ap-southeast-1
Asia Pacific (Singapore)

| `vpce-0b470f0df2b0e03f3` | |

ap-southeast-2
Asia Pacific (Sydney)

| `vpce-0afc6a24f0959847c` | |

ca-central-1
Canada (Central)

| `vpce-07dfc91c761a8f2f9` | |

eu-central-1
Europe (Frankfurt)

| `vpce-04bc9a3cd6020a865` | |

eu-west-1
Europe (Ireland)

| `vpce-079feae086b944dad` | |

eu-west-2
Europe (London)

| `vpce-091d282f539081cf5` | |

us-east-1
US East (Virginia)

| `vpce-0421446f7bf694e56` | |

us-east-2
US East (Ohio)

| `vpce-071ef6403fa277210` | |

us-west-2
US West (Oregon)

| `vpce-01f8edfbf6da1095d` | Here is an example resource policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ] }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ], "Condition" : { "StringNotEquals": { "aws:SourceVpce": [ "vpce-1a2b3c4d5e6f7g8h9", # customer internal VPC Endpoint "vpce-0421446f7bf694e56" # Immuta VPC Endpoint added to list ] } } } ] ``` {% hint style="warning" %} Once you have made changes to your resource policy, **you must** [**deploy your API**](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-create.html#apigateway-private-api-deploy-using-console) **for the updates to take effect**. {% endhint %} 2. **You should now be able to connect to your private API from your Immuta SaaS tenant using your API endpoint**, i.e. `.execute-api..amazonaws.com//`. ## Troubleshooting ### Issue: I received a permissions error when trying to invoke my private API from Immuta If you get an error similar to the following: ``` {"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:****************/foo/GET/bar with an explicit deny"} ``` Check to make sure that the following is true: * You have authorized the correct VPC endpoint for the region you are targeting in your resource policy. * Your resource policy allows for `execute-api:Invoke` privileges on the endpoint you are making requests to from Immuta. * You have deployed your API after making changes to your resource policy.