Can I create a private endpoint in API Gateway while using HTTP API V2?

[diogo-landos]

Currently I have a logging validation with tokens and wanted to introduce JWT Authorizers in API Gateway. However, this seems to require HTTP API V2. I was consider to migrate from REST V1 to it, but it seems V2 does not directly support a private endpoint and would require some workaround. Is this true? If so, is there any plan to have this?

[Sagargupta16]

HTTP API (V2) does support private integrations via VPC Links, but it works differently from REST API private endpoints.

REST API (V1): You can create a truly private API using a VPC endpoint (PRIVATE endpoint type). The API itself is only accessible from within your VPC.

HTTP API (V2): There is no PRIVATE endpoint type. Instead, HTTP API uses VPC Links V2 to reach private resources (ALB, NLB, or Cloud Map services) inside your VPC. The API itself remains publicly accessible, but the backend integration is private.

So if your goal is:

• Private backend (API is public, but routes to private ALB/NLB): HTTP API V2 supports this via VPC Links.
• Private API (API itself only accessible from within VPC): This is only supported by REST API (V1). HTTP API V2 does not support VPC endpoint policies or the PRIVATE endpoint type.

In CDK, a VPC Link for HTTP API V2 looks like:

import { HttpApi, VpcLink } from "aws-cdk-lib/aws-apigatewayv2";
import { HttpAlbIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";

const vpcLink = new VpcLink(this, "VpcLink", {
  vpc,
  subnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
});

const httpApi = new HttpApi(this, "HttpApi");

httpApi.addRoutes({
  path: "/api",
  integration: new HttpAlbIntegration("AlbIntegration", listener, {
    vpcLink,
  }),
});

For JWT authorizers (your original use case), HTTP API V2 is the right choice since REST API doesn't natively support JWT authorizers. You can combine the JWT authorizer with the VPC Link integration above.

References:

• HTTP API private integrations
• VPC Links V2