Secure your private API access with NetFoundry-- AWS API Gateway example

Private APIs provide a secure method to invoke APIs via an VPC endpoint. API Gateway private integration makes it easier to expose your HTTP/HTTPS resources. Applications can integrate with private APIs, so the APIs can send requests to a Network Load Balancer (NLB), or through Application Load Balancer (ALB) or AWS Cloud Map for HTTP APIs. Private Integration forwards external traffic sent to APIs to private resources, without exposing the APIs to the internet.



This tutorial will use  the NetFoundry Platform to create network fabric to access a private example API in AWS.


1. AWS Account

2. AWS CLI installed on your system and connected to your AWS Account.

2. NetFoundry Teams Account

Pre-requisites :

1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.

2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption. 

The guide has the details.



Step 1. Build the Network using our Getting started Guide.


Step 2. Create endpoint identity in NetFoundry. (remote user identity)

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.

Download the resulting "endpoint_name.jwt". Follow directions for desired OS below:





Step 3. Create NetFoundry Edge Router and deploy NetFoundry Edge Router resource in AWS.

Follow the steps outlined here (with video)


Step 4. Deploy Private endpoint into VPC.

From the VPC menu, select Endpoints from the menu and select Create Endpoint. Select Name, AWS Service and choose the api service:




Then select desired VPC, subnets, security group (if any) and finally Full Access for this example.

Depending on your VPC DNS settings, you may have disable DNS name from the VPC Additional Setting dialogue box.







Record your VPC Endpoint ID:  vpce-0c09e538f94bbab3c (sample)



Step 5. Create API and associated URI for testing.

From the API Gateway Menu, select  create.jpg

Then Select Rest API Private and hit build


Choose Example API 

Select private API endpoint type, select the VPC endpoint created in step 4, select an appropriate option for warnings and create your API.

Once your API is built, you will need to apply a Resource Policy, here is a sample open policy for your testing. Select Resource Policy on the left, create a policy and paste the following into the code box then hit save.

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*"

Now lets deploy your API from the API menu


Step 6. Create CloudZiti service and service policy


You must form your Private Endpoint API URI by inserting the VPCE ID between the API ID and the rest of your URL.






From the CloudZiti console select the services dialogue box and hit Add.



Insert your base URL into the Intercept Host Name field with port 443

Select Endpoint Hosted and select the router you installed in your VPC in Step 3 above.  Enter the URL and port into the Host Configuration box and hit create.



Select Service Policy from the Network Dashboard and hit the Blue + in the upper right corner.

From the Services Attribute box , click and select the service from the step above.

From the Endpoint Attribute box, click and select the endpoint created in Step 2 above.

Hit Create.


Step 5. Connect to API with NetFoundry's CloudZiti platform.


From your Browser on your device running CloudZiti endpoint 




From CLI (example, set your URL specifics)


curl -X GET "" -H "accept: application/json"






Was this article helpful?
1 out of 2 found this helpful



Please sign in to leave a comment.