This chapter covers AWS API Gateway VPC Link, a feature that enables private integration between API Gateway and resources inside a VPC without traversing the public internet. For the SAA-C03 exam, VPC Link is a high-yield topic appearing in approximately 5-10% of questions, often as a distractor in hybrid networking scenarios. Understanding VPC Link's mechanism, its dependency on Network Load Balancers, and its differentiation from VPC Peering or Direct Connect is critical for solving integration architecture questions.
Jump to a section
Imagine a secure corporate campus (your VPC) with a private building (your internal ALB or EC2 service) that has no public entrance. Outside the campus is a public bus terminal (API Gateway) where external clients arrive. To allow clients to reach the private building without exposing it to the public street, you build a private bridge (VPC Link) that connects the terminal directly to the building's loading dock. The bridge is built using a special material (Network Load Balancer) that can handle high traffic and maintains a fixed number of lanes (Elastic Network Interfaces in the VPC). The bridge has a guard booth (VPC Link endpoint) that checks that only authorized terminal buses (API Gateway requests) cross. The building's internal security (security groups) allows traffic only from the bridge's guard booth IPs. The bus terminal never sends traffic through the public street; it always uses the bridge. If the bridge is damaged (NLB fails), the terminal cannot reach the building until a new bridge is built. This is exactly how VPC Link works: it creates a private, NLB-backed connection between API Gateway and your VPC resources, avoiding the public internet.
What is API Gateway VPC Link?
API Gateway VPC Link is a feature that allows Amazon API Gateway to privately connect to resources (like ALBs, EC2 instances, or Lambda functions) that are located inside a Virtual Private Cloud (VPC). Without VPC Link, API Gateway would need to route traffic through the public internet to reach those resources, which introduces latency, security risks, and dependency on public IPs. VPC Link eliminates these issues by creating a private, high-bandwidth connection between API Gateway and the VPC.
How It Works Internally
VPC Link leverages a Network Load Balancer (NLB) as the entry point into the VPC. Here is the step-by-step mechanism:
Create a VPC Link: You create a VPC Link in API Gateway, specifying the VPC and subnets. Behind the scenes, API Gateway provisions an NLB in your account (or uses an existing one you provide) and attaches Elastic Network Interfaces (ENIs) to the specified subnets. These ENIs have private IP addresses from the subnet CIDR.
API Gateway attaches to VPC Link: When you configure an API Gateway integration, you set the integration type to VPC Link and reference the VPC Link ID. API Gateway then routes requests to the NLB's DNS name.
NLB forwards traffic: The NLB forwards traffic to the target group you configure—typically an ALB or EC2 instance. The NLB operates at Layer 4 (TCP), so it does not inspect HTTP headers; it simply forwards packets.
Security Groups: The ENIs in the VPC have security groups that control inbound traffic. You must allow inbound traffic from the API Gateway's source IPs (which are the ENI IPs) on the required port (usually 80 or 443).
Response path: The response flows back through the NLB and VPC Link to API Gateway, which then returns it to the client.
Key Components and Defaults
- VPC Link Type: There are two types: - Private Link (powered by NLB): The default and recommended type. Uses an NLB in your VPC. Supports TCP traffic only. - V2 (powered by NLB): Modern type, same as above. - Network Load Balancer: Must be in the same VPC as the target resources. The NLB must have a target group that points to your internal resources (e.g., ALB, EC2). - Subnets: You specify at least one subnet per Availability Zone where the VPC Link will create ENIs. The subnets must have a route to the NLB's target. - Security Groups: Assigned to the ENIs. Default: no inbound rules – you must add rules to allow traffic from API Gateway's CIDR (which is the NLB's private IPs). - Timeout: Idle connection timeout for the NLB is 350 seconds by default. API Gateway has its own integration timeout (default 29 seconds, max 29 seconds). - Maximum Transmission Unit (MTU): 1500 bytes. Jumbo frames not supported. - Cross-zone load balancing: Enabled by default on NLB.
Configuration Steps
Create a Network Load Balancer (or let API Gateway create one for you).
Create a target group pointing to your internal resources (e.g., ALB). Ensure health checks pass.
Create a VPC Link in API Gateway console: Specify VPC, subnets, and security groups.
Create or modify an API Gateway API with integration type VPC_LINK and specify the VPC Link ID.
Deploy the API to a stage.
Example CLI command to create a VPC Link:
aws apigateway create-vpc-link --name MyVpcLink --target-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-nlb/1234567890abcdefInteraction with Related Technologies
VPC Peering: VPC Link does not require VPC Peering; it works within a single VPC. If your resources are in a peered VPC, you cannot use VPC Link directly—you need to use PrivateLink (AWS PrivateLink) or an NLB in the same VPC.
Direct Connect: VPC Link does not use Direct Connect; it stays within AWS network.
AWS PrivateLink: VPC Link is essentially a form of PrivateLink, but specifically for API Gateway. PrivateLink allows other services to connect to your VPC endpoints.
Lambda: If your backend is a Lambda function, you do not need VPC Link unless the Lambda needs to access VPC resources. Lambda can be integrated directly via HTTP or function ARN.
Performance Considerations
Latency: VPC Link adds minimal latency (single-digit milliseconds) compared to public internet.
Throughput: NLB can handle millions of requests per second. The ENIs have bandwidth limits based on instance type (for EC2 targets) or NLB capacity.
Scaling: VPC Link scales automatically by adding more ENIs as traffic increases.
Cost: You pay for the NLB per hour and per GB processed, plus data transfer costs.
Common Pitfalls
Security Group misconfiguration: Not allowing traffic from the NLB's subnets to the target.
Incorrect target group: Pointing to an internet-facing ALB instead of internal.
Cross-account: VPC Link only works within the same account unless using PrivateLink across accounts.
VPC Link in a different region: VPC Link is region-specific; API Gateway and VPC must be in the same region.
Monitoring
CloudWatch Metrics: VpcLinkStatus, IntegrationLatency, 4XXError, 5XXError.
VPC Flow Logs: Can capture traffic through the ENIs.
NLB Access Logs: Optional, stored in S3.
Security
TLS Termination: API Gateway can terminate TLS, then forward HTTP to the NLB. Or you can pass through HTTPS if the NLB has a TLS listener.
Authentication: API Gateway can use IAM, Lambda authorizers, or Cognito before forwarding to VPC Link.
Network ACLs: Apply to the VPC Link subnets to control traffic.
Best Practices
Use private subnets for VPC Link ENIs.
Use an internal ALB behind the NLB for HTTP-level features (routing, headers).
Enable cross-zone load balancing on the NLB.
Set appropriate health checks on the target group.
Create Network Load Balancer
First, create an internal (scheme internal) Network Load Balancer in the same VPC and subnets where your backend resources reside. The NLB must be in the same account and region as API Gateway. Choose the subnets (at least two AZs) where the NLB will be provisioned. Configure a TCP listener (e.g., port 80 or 443) that will forward traffic to a target group. The NLB operates at Layer 4, so it does not inspect HTTP headers; it simply forwards TCP packets. The NLB's DNS name will be used by the VPC Link.
Create target group for NLB
Create a target group of type 'instance' or 'IP' that points to your backend resources—typically an internal Application Load Balancer or EC2 instances. Register the targets (e.g., ALB's private IPs or instance IDs). Configure health checks on the same port (e.g., HTTP 80) to ensure the NLB only routes to healthy targets. The target group must be in the same VPC and region. Default health check interval is 30 seconds with 10 second timeout and 3 consecutive failures for unhealthy.
Create VPC Link in API Gateway
In the API Gateway console, navigate to VPC Links and create a new VPC Link. Provide a name, select the VPC, and choose the subnets where the NLB ENIs will be placed. You can either select an existing NLB (the one you created) or let API Gateway create a new one. Specify security groups for the ENIs. Once created, the VPC Link will be in 'AVAILABLE' state after a few minutes. The VPC Link ID (e.g., `vpclink-abc123`) is used in API integrations.
Configure API Gateway integration
Create or modify an API Gateway resource and method (e.g., GET /items). Set the integration type to 'VPC Link' and select the VPC Link ID. Enter the endpoint URL as `http://<NLB-DNS-name>:<port>/path`. For HTTP APIs, you can also use the Private Integration type. Deploy the API to a stage. When a client calls the API, API Gateway will forward the request to the NLB via the VPC Link ENIs, which then routes to the target group.
Verify connectivity and security
After deployment, test the API endpoint. If the request fails with 502 or timeout, check the following: (1) Security groups on the VPC Link ENIs must allow inbound traffic from API Gateway's source IPs (the NLB's private IPs) on the integration port. (2) The NLB target group health checks must be passing. (3) The backend resource (e.g., ALB) security group must allow traffic from the VPC Link ENIs or the NLB subnets. (4) Network ACLs on the VPC Link subnets must allow inbound/outbound traffic. Use VPC Flow Logs to verify traffic flow.
Enterprise Scenario 1: Internal Microservices with Public API
A financial services company runs microservices on EC2 instances in a VPC. They want to expose a public REST API through API Gateway but keep the microservices private. They deploy an internal ALB in front of the microservices, then create an NLB and VPC Link to connect API Gateway to the ALB. The API Gateway handles authentication via Cognito and throttling. In production, they handle 10,000 requests per second with sub-10ms latency added by the VPC Link. The main challenge was security group configuration: initially, they allowed traffic from the entire VPC CIDR, but later tightened it to the exact ENI IPs of the VPC Link for security. A common misconfiguration is forgetting to update the ALB's security group to allow traffic from the NLB subnets.
Enterprise Scenario 2: Hybrid Cloud with On-Premises Integration
A retail company uses Direct Connect to connect on-premises databases to AWS. They need a public API that queries those databases. They place a Lambda function in a VPC that accesses the databases via Direct Connect. The Lambda is fronted by an ALB. API Gateway uses a VPC Link to reach the ALB. The VPC Link ensures that the API traffic never leaves AWS network, reducing latency and avoiding public internet. The NLB handles millions of requests daily. A pitfall: if the Lambda needs internet access (e.g., for external APIs), it must have a NAT Gateway, which adds cost and complexity.
Scenario 3: Multi-Account Architecture with PrivateLink
A SaaS provider uses a shared services VPC in Account A to host backend services. They want to expose these services via API Gateway in Account B. VPC Link cannot cross accounts directly. Instead, they create a PrivateLink endpoint service in Account A (backed by an NLB) and create a VPC endpoint in Account B. Then API Gateway in Account B uses a VPC Link to connect to the VPC endpoint (which is an NLB). This adds complexity but enables cross-account private integration. Performance considerations include endpoint capacity and cross-account data transfer costs.
SAA-C03 Exam Focus on VPC Link
Objective Codes: This topic falls under Domain 3: High Performance (Objective 3.7 – Choose a high-performing and scalable compute solution) and Domain 2: Resilient Architectures (Objective 2.2 – Design a resilient architecture for decoupled components). The exam tests your ability to select the correct integration method for private API backends.
Common Wrong Answers: 1. VPC Peering: Candidates choose VPC Peering because they think it connects API Gateway to VPC. But API Gateway is a managed service outside your VPC; VPC Peering cannot connect it. VPC Link is the correct mechanism. 2. Direct Connect: Some think Direct Connect provides private connectivity from API Gateway to VPC. Direct Connect connects on-premises to AWS, not API Gateway to VPC. 3. Public ALB with Security Groups: They try to make the ALB public and restrict access via security groups. This still exposes the ALB to the internet (though restricted) and violates the 'private' requirement.
Specific Numbers and Values:
VPC Link uses an NLB (not ALB, not CLB).
The NLB must be internal (scheme internal).
The integration timeout for API Gateway is 29 seconds (not configurable higher).
The NLB idle timeout is 350 seconds.
VPC Link requires at least one subnet per AZ (two AZs recommended).
Edge Cases:
If the backend is a Lambda function that is not in a VPC, you do not need VPC Link; use Lambda integration directly.
If the backend is an HTTP endpoint on the internet, use HTTP integration, not VPC Link.
If the backend is in a different account, you must use AWS PrivateLink (VPC Endpoint Service) plus VPC Link in the consumer account.
How to Eliminate Wrong Answers:
If the question mentions 'private connectivity to VPC' and 'API Gateway', look for 'VPC Link' or 'Private Integration' in the options.
If the option says 'VPC Peering', eliminate it because API Gateway is not in a VPC.
If the option says 'Direct Connect' or 'VPN', eliminate because they are for on-premises.
If the option says 'Public ALB', eliminate because it's not private.
The correct answer will involve an NLB and VPC Link.
VPC Link enables private integration between API Gateway and VPC resources using an NLB.
The NLB must be internal (scheme internal) and in the same VPC and region as API Gateway.
VPC Link does not use VPC Peering, Direct Connect, or VPN; it uses AWS PrivateLink technology.
API Gateway integration timeout is 29 seconds for VPC Link integrations.
Security groups on VPC Link ENIs must allow inbound traffic from the NLB's private IPs.
For cross-account access, combine VPC Link with VPC Endpoint Service (PrivateLink).
VPC Link supports REST and HTTP APIs, not only REST.
These come up on the exam all the time. Here's how to tell them apart.
VPC Link with NLB
Private connection – traffic stays within AWS network
Requires NLB and VPC Link setup
Higher security – no public IP exposure
Adds minimal latency (single-digit ms)
Supports private backend resources in VPC
Public Integration
Traffic goes over public internet
Simple setup – just provide public endpoint URL
Backend must have public IP or be internet-facing
Latency depends on internet routing
Less secure – backend exposed to internet
Mistake
VPC Link uses an Application Load Balancer (ALB) to connect to backend resources.
Correct
VPC Link uses a Network Load Balancer (NLB) as the entry point into the VPC. The NLB operates at Layer 4 and forwards TCP traffic to a target group, which can be an ALB, EC2, or IP addresses. You cannot use an ALB directly as the VPC Link endpoint.
Mistake
VPC Link can connect to resources in a different AWS account without additional configuration.
Correct
VPC Link only works within the same AWS account and region. To connect across accounts, you must use AWS PrivateLink: create a VPC Endpoint Service in the provider account, then create a VPC endpoint in the consumer account, and then use VPC Link to connect to that VPC endpoint.
Mistake
VPC Link automatically provides encryption between API Gateway and the backend.
Correct
VPC Link itself does not encrypt traffic. If you need encryption, you must configure TLS termination on the NLB (using a TLS listener) or use HTTPS between the NLB and backend. API Gateway can terminate TLS and forward HTTP to the VPC Link.
Mistake
VPC Link requires the backend resources to be in the same VPC as the NLB, but they can be in a peered VPC.
Correct
The NLB and its targets must be in the same VPC. If the backend is in a peered VPC, the NLB cannot route to it. You would need to place the NLB in the same VPC as the backend, or use PrivateLink across peered VPCs.
Mistake
You can use VPC Link with any type of API Gateway API, including WebSocket APIs.
Correct
VPC Link is supported for REST APIs and HTTP APIs. For WebSocket APIs, you can use VPC Link as well, but the integration is slightly different. The exam typically focuses on REST APIs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
VPC Link is a feature that allows API Gateway to privately connect to resources inside your VPC. VPC Peering connects two VPCs together, but API Gateway is a managed service that is not inside any VPC. Therefore, VPC Peering cannot connect API Gateway to your VPC. VPC Link is the correct solution for private API Gateway integration.
No. VPC Link requires a Network Load Balancer (NLB) as the entry point into the VPC. You can either create the NLB yourself or let API Gateway create one for you. The NLB must be internal and in the same VPC as your backend resources.
No. VPC Link is region-specific. Both API Gateway and the VPC (including the NLB) must be in the same AWS region. If you need cross-region private connectivity, you would need to use inter-region VPC Peering or other methods, but VPC Link itself cannot span regions.
You can encrypt traffic by using a TLS listener on the NLB. API Gateway can terminate TLS at its end and forward plain HTTP to the VPC Link, or you can pass through HTTPS. Also, use security groups on the VPC Link ENIs and on your backend resources to restrict traffic to only the necessary IPs and ports.
If the health check fails, the NLB will stop routing traffic to the unhealthy target. API Gateway will receive a 502 Bad Gateway error because the NLB cannot forward the request. Ensure your backend resources are healthy and that the health check configuration matches the actual backend port and protocol.
You don't need VPC Link for Lambda functions that are not in a VPC. API Gateway can directly invoke Lambda via a Lambda integration (function ARN). VPC Link is only needed when the Lambda function is inside a VPC and you want to access it via an ALB or NLB.
Yes. You pay for the NLB (per hour and per GB processed), the VPC Link itself (per hour), and data transfer costs. The VPC Link pricing is separate from API Gateway pricing.
You've just covered API Gateway VPC Link — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?