logo
Published on

Domain Name in API Gateway

Authors
  • avatar
    Name
    Bowen Y
    Twitter

Why Can't I Create a Route53 Record Pointing Directly to the API Invoke URL?

The API Invoke URL provided by AWS API Gateway is a domain managed by AWS. This URL usually follows a pattern like "{api-id}.execute-api.{region}.amazonaws.com". When you use a service like Route 53 to manage your DNS, creating a CNAME record that directly points to this invoke URL is not recommended for a couple of reasons:

  • SSL/TLS Certificate Mismatch: The SSL/TLS certificate on the API Gateway's default URL is issued to that specific AWS domain and not to your custom domain. Directly pointing a Route 53 record to the API Gateway's invoke URL can lead to SSL/TLS mismatches and security warnings in browsers or API clients.

  • Customization and Control: Using a custom domain name through API Gateway allows for greater control and customization. For example, you can set up custom paths for your API routes, use your own SSL/TLS certificates, and have a URL that's branded for your organization or service.

What is the meaning of the Domain Name in API Gateway and can I create a Route 53 Record with a Different Domain Name

The domain name in API Gateway refers to the custom domain that you want to use for your API, different from the default AWS-provided URL. You can set up a custom domain in API Gateway and then create a CNAME or A Alias record in Route 53 that points to this custom domain.

  • When you set up a custom domain in API Gateway, AWS generates a new endpoint (a CloudFront distribution) for this domain. This is what you point your DNS record (in Route 53 or any other DNS service) to, not the original invoke URL.

  • You cannot use a Route 53 record with a completely different domain name to point to the AWS-generated domain name (the one for the custom domain in API Gateway). The domain name you use in Route 53 should match the custom domain you've set up in API Gateway.

Even though I still don't know why, but when I access the cloudfront distribution URL directly, it raises Not Found error. When I tried to create a rent route53 record with a different domain pointing to the cloudfront URL, it raises Forbidden error. So I assume there is a domain mapping mechanism behind the scene, which is done by the API gateway.