I need to create a secure API Gateway endpoint that can be accessed only from a growing number of EC2 instances located in different VPCs. The solution should automatically grant access to newly launched EC2 instances and be scalable to accommodate future growth.

Initial Approach (Attempted but not suitable):

We initially explored using Interface VPC Endpoints. This approach seemed promising for its scalability and automatic inclusion of new instances. However, Interface VPC Endpoints only work for API Gateways deployed in a public VPC, which is not ideal for our security requirements.

Desired Workflow:

• The API Gateway endpoint can be initially deployed in a public VPC for configuration purposes.
• Long-term, migrating the API Gateway to a private VPC is an option.
• VPC Links and Network Load Balancers (NLBs) are potential solutions to establish secure connections between EC2 instances in various VPCs and the API Gateway.
• IAM policies will be implemented to control access based on VPC origin and instance roles.

Example Requirements:

• VPC A: Hosts the API Gateway endpoint (public initially, potentially private later).
• VPC B, VPC C, etc.: Each VPC contains EC2 instances that need to access the API Gateway.
• Security groups will be configured to restrict traffic flow according to the chosen approach (Interface VPC Endpoints or VPC Links with NLB).
• IAM roles assigned to EC2 instances will grant access to the API Gateway endpoint and restrict outbound traffic to the appropriate endpoint address based on the chosen approach.

Questions:

1. What is the most secure and scalable approach to achieve API Gateway access from EC2 instances across VPCs, considering the initial public VPC deployment and potential future migration to a private VPC?
2. Are there any potential challenges or limitations to consider with the proposed solutions using VPC Links and NLBs?
3. Are there any best practices or recommendations for implementing IAM policies to control access in this scenario?

I’ve explored the limitations of Interface VPC Endpoints for my specific use case. Any insights or alternative approaches to achieve secure and scalable access to the API Gateway endpoint would be greatly appreciated.