API Gateway supports three endpoint types to optimize for different use cases:
- Edge-Optimized endpoints are designed for global clients. The API is deployed in a single region, but traffic is routed through CloudFront edge locations to reduce latency and improve global performance.
- Regional endpoints are designed for clients within the same AWS region. They are accessed directly without CloudFront unless manually integrated, giving more control over caching, custom domains, and distribution settings.
- Private endpoints are accessible only from within a VPC via an interface VPC endpoint (ENI). Access is controlled with a resource policy specifying allowed VPCs or principals.
Endpoint Type | Optimized For | Access Scope | Notes |
Edge-Optimized | Global clients | Public via CloudFront | Reduced latency via edge locations |
Regional | In-region clients | Public within region | Optional manual CloudFront integration |
Private | Internal VPC | VPC-only (via VPC endpoint) | Requires resource policy |
ACM – Integration with API Gateway
Overview
API Gateway supports custom domain names with TLS certificates managed by AWS Certificate Manager (ACM). The certificate requirements depend on the endpoint type.
- Edge-Optimized endpoints use a CloudFront distribution managed by API Gateway. The TLS certificate must be in the
us-east-1region (CloudFront’s region).
- Regional endpoints do not use CloudFront by default. The TLS certificate must be in the same AWS region as the API stage.
- For Private endpoints, ACM certificates are not required unless fronted by a CloudFront distribution, in which case the certificate must match the distribution’s region.
DNS Configuration
For both Edge-Optimized and Regional endpoints, DNS is typically configured using a CNAME record or a Route 53 A-Alias record pointing to the API Gateway domain.
Endpoint Type | TLS Certificate Region | DNS Setup | Notes |
Edge-Optimized | us-east-1 | CNAME or A-Alias (Route 53) | Optimized for global access |
Regional | Same as API Stage | CNAME or A-Alias (Route 53) | Direct in-region access, more control |