AWS PrivateLink for API Gateway
AWS PrivateLink provides private connectivity from the Immuta SaaS platform to API gateway endpoints hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.
This feature is supported in all regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements
You have an Immuta SaaS tenant.
You have an Amazon API gateway private API.
Your private API must exist in one of the regions in our global segments.
Configuring API gateway with AWS PrivateLink
Update your API gateway resource policy to allow for access from the Immuta VPC endpoint in the applicable AWS region. The Immuta VPC endpoint IDs are listed in the table below.
ap-northeast-1
Asia Pacific (Tokyo)
vpce-09b3a20743b64ecc9
ap-south-1
Asia Pacific (Mumbai)
vpce-00620d5f59239fa03
ap-southeast-1
Asia Pacific (Singapore)
vpce-0b470f0df2b0e03f3
ap-southeast-2
Asia Pacific (Sydney)
vpce-0afc6a24f0959847c
ca-central-1
Canada (Central)
vpce-07dfc91c761a8f2f9
eu-central-1
Europe (Frankfurt)
vpce-04bc9a3cd6020a865
eu-west-1
Europe (Ireland)
vpce-079feae086b944dad
eu-west-2
Europe (London)
vpce-091d282f539081cf5
us-east-1
US East (Virginia)
vpce-0421446f7bf694e56
us-east-2
US East (Ohio)
vpce-071ef6403fa277210
us-west-2
US West (Oregon)
vpce-01f8edfbf6da1095d
Here is an example resource policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
],
"Condition" : {
"StringNotEquals": {
"aws:SourceVpce": [
"vpce-1a2b3c4d5e6f7g8h9", # customer internal VPC Endpoint
"vpce-0421446f7bf694e56" # Immuta VPC Endpoint added to list
]
}
}
}
]
Once you have made changes to your resource policy, you must deploy your API for the updates to take effect.
You should now be able to connect to your private API from your Immuta SaaS tenant using your API endpoint, i.e.
<api-gateway-id>.execute-api.<region>.amazonaws.com/<stage>/<endpoint>
.
Troubleshooting
Issue: I received a permissions error when trying to invoke my private API from Immuta
If you get an error similar to the following:
{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:****************/foo/GET/bar with an explicit deny"}
Check to make sure that the following is true:
You have authorized the correct VPC endpoint for the region you are targeting in your resource policy.
Your resource policy allows for
execute-api:Invoke
privileges on the endpoint you are making requests to from Immuta.You have deployed your API after making changes to your resource policy.
Last updated
Was this helpful?