AWS PrivateLink for API Gateway

Set up private connectivity between Immuta SaaS and AWS API Gateway endpoints

Private preview: This feature is available to select accounts. Contact your Immuta representative for details.

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to API Gateway endpoints hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in all regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

You have an Immuta SaaS tenant.
You have an Amazon API Gateway private API.
Your private API must exist in one of the regions in our global segments.

Configuring API Gateway with AWS PrivateLink

Update your API Gateway resource policy to allow for access from the Immuta VPC endpoint in the applicable AWS region. The Immuta VPC endpoint IDs are listed in the table below.

AWS region

VPC endpoint ID

ap-northeast-1 Asia Pacific (Tokyo)

vpce-09b3a20743b64ecc9

ap-south-1 Asia Pacific (Mumbai)

vpce-00620d5f59239fa03

ap-southeast-1 Asia Pacific (Singapore)

vpce-0b470f0df2b0e03f3

ap-southeast-2 Asia Pacific (Sydney)

vpce-0afc6a24f0959847c

ca-central-1 Canada (Central)

vpce-07dfc91c761a8f2f9

eu-central-1 Europe (Frankfurt)

vpce-04bc9a3cd6020a865

eu-west-1 Europe (Ireland)

vpce-079feae086b944dad

eu-west-2 Europe (London)

vpce-091d282f539081cf5

us-east-1 US East (Virginia)

vpce-0421446f7bf694e56

us-east-2 US East (Ohio)

vpce-071ef6403fa277210

us-west-2 US West (Oregon)

vpce-01f8edfbf6da1095d

Here is an example resource policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                    "aws:SourceVpce": [
                        "vpce-1a2b3c4d5e6f7g8h9", # customer internal VPC Endpoint
                        "vpce-0421446f7bf694e56"  # Immuta VPC Endpoint added to list
                    ]
                }
            }
        }
    ]

Once you have made changes to your resource policy, you must deploy your API for the updates to take effect.

You should now be able to connect to your private API from your Immuta SaaS tenant using your API endpoint, i.e. <api-gateway-id>.execute-api.<region>.amazonaws.com/<stage>/<endpoint>.

Troubleshooting

Issue: I received a permissions error when trying to invoke my private API from Immuta

If you get an error similar to the following:

{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:****************/foo/GET/bar with an explicit deny"}

Check to make sure that the following is true:

You have authorized the correct VPC endpoint for the region you are targeting in your resource policy.
Your resource policy allows for execute-api:Invoke privileges on the endpoint you are making requests to from Immuta.
You have deployed your API after making changes to your resource policy.

PreviousData Connection Private Networking NextAWS PrivateLink for Redshift

Last updated 1 month ago

Was this helpful?