If your backend service uses an internal URL resolved by PrivateZone, API Gateway cannot reach the URL unless the instance resides in the same VPC. Internal domain name resolution solves this by letting you create DNS records directly in API Gateway, so requests from a dedicated instance resolve to the IP addresses you define.
Applies to: Dedicated instances only (VPC integration instances and conventional dedicated instances).
How it works
PrivateZone DNS resolution takes effect only within specified VPCs. An API Gateway instance outside those VPCs cannot resolve the internal URL.
With internal domain name resolution, you create DNS records in API Gateway and associate them with an instance. After association, all requests from that instance to the configured domain name resolve to the IP addresses you defined -- even if the domain name has a public DNS resolution.
VPC integration instances also support weighted traffic distribution across multiple IP addresses.
Prerequisites
Before you begin, ensure that you have:
An API Gateway dedicated instance (VPC integration or conventional dedicated)
The internal domain name of the backend service
For VPC integration instances: the IP addresses and desired weight distribution
For conventional dedicated instances: a VPC access authorization with a matching Host value
Create a DNS record
Log on to the API Gateway console. In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances.
Click the Internal DNS Resolution tab.
In the upper-right corner, click Add DNS Record.
In the Add DNS Record dialog box, configure the following parameters:
Parameter Description Instance Type Select the instance type: VPC integration or conventional dedicated. Instance Select the dedicated instance to associate with this record. Internal Domain Name Enter the internal domain name of the backend service. Record Value VPC integration instances only. Enter the IP address and Weight for traffic distribution. ImportantWeight values range from 0 to 100. If two IP addresses have weights of 1 and 2, traffic is distributed at a 1:2 ratio. A weight of 0 means no traffic is forwarded to that IP address.
For VPC integration instances, only A records are supported. A records map domain names to IPv4 addresses. You can add up to 20 A records per domain name.
For conventional dedicated instances, the internal domain name must match the Host value in the corresponding VPC access authorization.
Click Confirm to save the record.
Changes take effect approximately 10 minutes after a record is created or modified.
VPC integration instances
Backend services of the HTTP or HTTPS type that use an internal URL require a configured DNS record. Otherwise, API Gateway cannot resolve the URL.
The record value must belong to an accessible CIDR block of the VPC where the backend service resides.
If a record contains only one IP address with a weight of 0, the record does not take effect because no traffic is forwarded.
Conventional dedicated instances
The internal domain name in the record must match the Host value of the VPC access authorization. The Host value is used as the Server Name Indication (SNI) value during the SSL/TLS handshake when the instance sends an HTTPS request to the backend service through the VPC access authorization.
If no internal DNS record is configured for a conventional dedicated instance that uses an HTTPS-based VPC access authorization, no SNI is transmitted during the SSL/TLS handshake.
Modify a DNS record
To update an existing record, click Edit in the Actions column, then modify the IP and Weight values.
Changes take effect approximately 10 minutes after a record is created or modified.
Associate a record with an instance
Associate a DNS record with a dedicated instance using either of these methods:
During record creation
Select the target instance from the Instance drop-down list when creating the record. The association takes effect automatically after the record is created.
From the instance list
Log on to the API Gateway console. In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances.
Click the Instances tab.
Next to Associated Internal Domain Name Resolutions, click Associate.
In the dialog box, select a record from the Internal Domain Name drop-down list and click Confirm.
After association, all requests from that instance to the internal domain name resolve to the configured record -- even when the domain name has a public DNS resolution. Changes take effect approximately 10 minutes after a record is associated or modified.
Limits
| Item | Limit |
|---|---|
| Supported instances | Dedicated instances only (conventional dedicated and VPC integration) |
| Maximum records per region | 100 |
| Association scope | A record can be associated with multiple dedicated instances of the same type |
| Cluster support | Records cannot be associated with dedicated instance clusters |
VPC integration instances
| Item | Limit |
|---|---|
| Supported record type | A records only (domain names to IPv4 addresses) |
| Maximum A records per domain | 20 |
Conventional dedicated instances
| Item | Limit |
|---|---|
| Supported backend type | VPC access authorizations only |
| Additional records | Not supported. Traffic is forwarded to the mapped IP address of the VPC access authorization by default. |