Securing API endpoints using Amazon API Gateway and Amazon VPC Lattice

Introduction

In microservices architectures, teams often build and manage internal applications that they expose as private API endpoints and publicly expose those endpoints through a centralized API gateway where security protections are centrally managed. These API endpoints allow both internal and external users to leverage the functionality of those applications. The separation of concerns between private and public endpoints allows customers to ensure that both public and internal security mechanisms use approved tools and services.

For public API endpoints, you can use Amazon API Gateway for north-south traffic. With API Gateway, you can enable access control mechanisms like OAuth2 and perimeter protection with AWS Shield Advanced, Amazon CloudFront, or AWS Web Application Firewall (AWS WAF).

For internal API endpoints, you can build your microservice applications using different compute options like AWS Lambda, Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic …