API Gateway can be accessed from the Internet or virtual private clouds (VPCs). This topic describes how to access API Gateway using a VPC.
Overview
To access API Gateway using a VPC, you must obtain the second-level domain name for VPC of the API group that you want to access. A second-level domain name for VPC has the following characteristics:
It is restricted to use within a VPC, supports direct access, and is not subject to the 1,000-call daily limit.
Direct access is available through HTTP and HTTPS.
The method to enable the VPC-internal domain name and its effective scope vary based on the instance type. For more information, see the sections about Serverless instances and dedicated instances.
If you want to access API Gateway from a VPC in a hybrid cloud environment, such as an environment built with Cloud Enterprise Network (CEN) or a VPN that uses IPsec, you must use a dedicated API Gateway instance. The IP address that corresponds to the VPC-internal second-level domain name for API groups on the dedicated instance is the private IP address of the inbound VPC that you bind. This simplifies your local routing configuration. The VPC-internal second-level domain name for API groups on a Serverless instance is a unified IP address in the
100.x.x.xrange, and you cannot assign a private IP address to it.For more configurations in hybrid cloud scenarios, see Centralized API management on a hybrid cloud.
Configuration for Serverless instances
Internal VPC access to a Serverless API Gateway instance is available to all of your VPCs in the same region.
Procedure:
Log on to the API Gateway console. In the navigation pane on the left, choose .
On the Group List page, click the target group for the Serverless instance. On the Group Details page, click Enable VPC Second-level Domain, and then click OK.
NoteAPI Gateway automatically assigns a second-level domain name for VPC to this API group. This domain name can be used to call APIs in the API group.
Dedicated instance setup
When you enable VPC access for a dedicated instance, you can authorize only one VPC in the same region to access the dedicated instance. Other VPCs in the same region cannot access APIs on this instance. This enhances security. 
Procedure:
Log on to the API Gateway console. In the navigation pane on the left, choose .
On the Dedicated Instances page, find the dedicated instance that you want to manage and click Bind to VPC.
In the Enable VPC Endpoint for Dedicated Instance dialog box, configure the VPC ID and vSwitch, and then click OK. You can select only one vSwitch per VPC.
In the navigation pane on the left, choose . Click the target group for the dedicated instance to open the Group Details page. Click Enable VPC Second-level Domain and then click OK. You can then access the APIs using the VPC-internal second-level domain name. Alternatively, you can create a CNAME record to map your own domain name to this second-level domain name. You can then use your domain name to access the APIs.
If you do not bind the instance to a VPC, you cannot enable VPC second-level domain name for the API group.
When the Attach To User VPC setting for a dedicated instance is changed, the VPC second-level domains of all groups in that instance are reconfigured for access by the new VPC, and the original VPC loses access to the API.
When you migrate a group from a Serverless instance to a dedicated instance, if a VPC-internal domain name is enabled for the group, you must enable the inbound VPC for the dedicated instance before you can complete the migration. After the migration, the APIs can be accessed only from the inbound VPC over the internal network.