API Gateway supports access from both the Internet and virtual private clouds (VPCs). This topic describes how to enable VPC access for API Gateway and call APIs through a private network.
Overview
Each API group in API Gateway can be assigned a VPC second-level domain name that enables private access within VPCs. This domain name has the following characteristics:
VPC-only access: The VPC second-level domain name can only be resolved and accessed from within VPCs. It cannot be accessed from the public Internet.
Unlimited API calls: When you use the VPC second-level domain name, there is no daily limit on the number of API calls within the API group.
Protocol support: Both HTTP and HTTPS are supported.
Comparison of instance types
The configuration method and access scope differ depending on your instance type.
| Feature | Serverless instance | Dedicated instance |
|---|---|---|
| VPC access scope | All VPCs in the same region | Only the bound VPC in the same region |
| Security isolation | Shared access | Single-VPC authorization (enhanced security) |
| Custom domain support | No | Yes (via CNAME record) |
| Hybrid cloud support | Limited (resolves to 100.x.x.x shared address space) | Recommended |
Hybrid cloud scenarios: If you access API Gateway from a hybrid cloud environment connected through Cloud Enterprise Network (CEN) or an IPsec VPN, we recommend that you use a dedicated instance. You can bind your hybrid cloud VPC to an API group on the dedicated instance and access APIs through the VPC second-level domain name. This makes it convenient for you to configure local routing. On serverless instances, the VPC second-level domain name resolves to an IP address in the 100.x.x.x format and cannot be a private IP address. For more hybrid cloud configurations, see Centralized API management for hybrid clouds.
Enable VPC access for a serverless instance
After you enable VPC access for a serverless instance, all users of the instance can access it from any VPC in the same region.
Procedure
Log on to the API Gateway console.
In the left-side navigation pane, choose Manage APIs > API Groups.
On the API Groups page, click the name of the target API group.
On the Group Details page, click Enable VPC Second-level Domain.
In the confirmation message, click Confirm.
API Gateway automatically assigns a VPC second-level domain name to the API group. You can use this domain name to call APIs in the group from within VPCs in the same region.
Enable VPC access for a dedicated instance
When you enable VPC access for a dedicated instance, you authorize only one VPC in the same region to access the instance. Other VPCs in the same region cannot access APIs on the instance, which provides enhanced network isolation.
Prerequisites
A dedicated instance is created.
The VPC and vSwitch that you want to bind are available in the same region as the dedicated instance.
Step 1: Bind the dedicated instance to a VPC
Log on to the API Gateway console.
In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances.
On the Dedicated Instances page, find the target instance and click Bind to VPC.
In the Apply for VPC Endpoint to Access Dedicated Instance dialog box, configure the following parameters:
Vpc Id: Select the VPC to bind.
vSwitch: Select a vSwitch within the VPC. You can select only one vSwitch per VPC.
Click Confirm.
Step 2: Enable the VPC second-level domain name
In the left-side navigation pane, choose Manage APIs > API Groups.
On the API Groups page, click the name of the target API group.
On the Group Details page, click Enable VPC Second-level Domain.
In the confirmation message, click Confirm.
API Gateway automatically assigns a VPC second-level domain name to the API group. You can optionally add a CNAME record to map your custom domain name to the VPC second-level domain name, allowing you to use your own domain name for VPC access.
You must bind the dedicated instance to a VPC before you can enable the VPC second-level domain name for any API group on the instance.
If you change the VPC bound to a dedicated instance, the VPC second-level domain names for all API groups on the instance become accessible only from the new VPC. The original VPC loses access.
If you migrate an API group from a serverless instance (with VPC second-level domain name enabled) to a dedicated instance, ensure that a VPC is already bound to the dedicated instance. After the migration, the API group can only be accessed from the VPC bound to the dedicated instance.