This was initially impossible, and then was resolved with support for client certificates, which the API API gateway could use for authentication for your services. This was a good solution and still available, but it still requires your services to be open - at least in a sense - on the Internet.
In November 2017, AWS released a new feature that allows you to actually create a network path between the API gateway and your internal services.
You can now provide access to HTTP (S) resources in your Amazon Virtual Private Cloud (VPC) without exposing them directly to the public Internet. You can use Gateway APIs to create an API endpoint integrated with your VPC. You create an endpoint for your VPC by setting up a VPC connection between your VPC and the Network Load Balancer (NLB), which provides elastic load balancing.
https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/
The following is a historical context.
At the moment there is no simple and reliable way to do this, because your services available for the API gateway must be accessible through / open to the public Internet, and there is no built-in trust mechanism through which you can be sure that such a request really arose from any Deploying an API gateway, much less deploying your API gateway.
Amazon seems to have solved the problem of authenticating requests to your internal services, as it certainly came not only from the Gateway API, but also from your instance of the API gateway. As before, the endpoints should still be exposed to the Internet because the source IP address is not predictable, but the API gateway now supports SSL client certificates, which the reverse side of the API gateway uses for the authentication on the front of your server service, which calls API gateway.
Q: Can Amazon API Gateway work in Amazon VPC?
Not. Amazon API endpoints are always publicly available on the Internet. Proxy requests for backend operations must also be publicly available on the Internet. However, you can create a client-side SSL certificate in the Amazon API gateway to verify that requests to your backend systems were sent by the API gateway using the public key of the certificate.
Q: Can I verify that this is the API gateway calling my server?
Yes. Amazon API Gateway can generate an SSL certificate on the client side and provide access to the public key of this certificate. Calls to your server can be made using the generated certificate, and you can check the calls coming from the Amazon API gateway using the public key of the certificate.
- https://aws.amazon.com/api-gateway/faqs/#security
When you create a client certificate in the Gateway API console, you are provided with a public key for this certificate. For security reasons, the private key is stored in the API gateway and is not available to you. The Gateway API will present the public key for your back-end when negotiating SSL. Any peer that does not represent the same public key is not an API gateway, and your back-end should strip SSL negotiation.
If an attacker should ever own a public key, they still will not be able to communicate with your internal server via SSL, because they lack the associated private key, which is known only to the Gateway API. (Your interaction side will be encrypted using your SSL certificate and the associated private key, which, of course, is known only to you.)
This feature eliminates what previously seemed to be a significant limitation of the API gateway utility API API gateway ... limiting this value, in fact, that when I discovered the revised information above, I began to doubt myself: If that were all there time, and somehow I managed to miss it? The Wayback Machine says no, it's new. This information was added in September 2015.