AWS Logo
Menu
Protect public API’s using API Gateway, VPC Links and AWS Cloud Map

Protect public API’s using API Gateway, VPC Links and AWS Cloud Map

Provision cost optimized infrastructure for handling APIs

apisvpc-linkcost-savingstartup
Eldyn Castillo
Amazon Employee
Published May 9, 2025
Last Modified May 14, 2025
When building an MVP for a public-facing API on AWS, challenges are faced when trying to balance robust security while keeping costs under control. Over-engineering can lead to unnecessary expenses, while under-investing in security can expose your services to risks. In this post, I'll talk a little about how to leverage Amazon API Gateway, AWS VPC Links, and AWS Cloud Map to create a secure yet cost-effective API architecture that's perfect for MVPs.

The Architecture

API Gateway to API infrastructure
API Gateway to API infrastructure
The solution consists of several key AWS services working together:
  1. API Gateway serves as the primary entry point for all API requests, acting as a robust gatekeeper that handles security, monitoring, and request/response management. When you have an existing API hosted on any compute platform, API Gateway can seamlessly integrate with it, providing essential capabilities such as request rate limiting, authentication, and request validation – all without requiring significant modifications to your backend services.
  2. AWS Cloud Map enables service discovery by automating the complex task of endpoint registration and management. It creates dynamic DNS mappings to your instances, enabling API Gateway to establish reliable integrations with backend resources within your VPC. This automated service discovery eliminates the need for manual endpoint updates and ensures your applications can scale efficiently while maintaining consistent connectivity.
  3. VPC Links create secure, dedicated connections between your API Gateway and resources within your Virtual Private Cloud. These links support both private and public subnet resources, though best practices dictate deployment in private subnets for enhanced security. By establishing these protected pathways, VPC Links ensure reliable and secure communication between your external-facing APIs and internal services.
  4. Security Groups add a crucial layer of protection by implementing fine-grained network access control. They act as virtual firewalls, precisely managing traffic flow between components. Through careful Security Group configuration, you can ensure your API only receives traffic from authorized VPC Links while blocking unauthorized access attempts. This granular control creates a robust security posture that protects your API infrastructure while maintaining necessary accessibility.

Key Benefits:

  1. Cost Savings - VPC Links with Cloud Map service discovery enable you to directly connect to your EC2 instances, potentially eliminating the need for Load Balancers
  2. Resource Utilization - AWS Cloud Map's service discovery eliminates the need for static IP management infrastructure
  3. Infrastructure Consolidation - API Gateway provides a single point of control for API management

What's Next?

Here are a couple of resources to help you build out this solution

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments