Skip the Lambda: A Simpler Pattern for Akamai → ALB → Private API Gateway

Introduction

I’m only AWS Certified Cloud Practitioner, but in a previous role I designed and implemented a production architecture that routed traffic from Akamai through an AWS Application Load Balancer (ALB) to a private API Gateway endpoint.

While researching this pattern, I kept finding examples that used a Lambda function as a reverse proxy between ALB and API Gateway. After implementing and operating the system, my conclusion is simple: for many use cases, that Lambda layer is unnecessary complexity. This article walks through the cleaner pattern I used in production—based on DNS, private endpoints, and certificates—without any proxy Lambda.

If you understand VPCs, load balancers, and basic DNS, you can implement this pattern even without advanced AWS certifications.

The Use Case and Requirements

The pattern solves a concrete problem:

• Use Akamai as the public CDN and WAF entry point
• Terminate TLS at AWS ALB in a public subnet
• Route traffic from ALB to a private API Gateway endpoint (no public exposure)
• Use custom domains and certificates so everything looks like a single clean API surface
• Avoid extra hops, code, and cost where possible

High-level flow:

Client → Akamai (public) → ALB (public subnets) → VPC Endpoint (private) → API Gateway (private endpoint)

No reverse-proxy Lambda in the middle, no extra application code to maintain.

Common Approach: Lambda as a Reverse Proxy

When I researched this pattern, I found many tutorials suggesting this architecture:

Akamai → ALB → Lambda (reverse proxy) → API Gateway

On paper, it sounds flexible. In reality, it has some real drawbacks:

• You must write and maintain proxy code (path rewriting, headers, logging, error handling)
• Every request invokes Lambda, adding latency and potential cold starts
• You pay per-invocation Lambda costs on top of ALB and API Gateway pricing
• There’s an extra failure point and more moving parts to monitor and debug
• Configuration lives partly in code, partly in infrastructure, making behavior harder to reason about

For complex request transformations or protocol bridging, that might be justified. For simple “send this HTTP request from ALB to API Gateway privately,” it is over-engineering.

Simpler Pattern: ALB + Private Endpoint + DNS

Instead of using Lambda as a reverse proxy, you can use pure networking and DNS:

• Public ALB with an HTTPS listener
• VPC endpoint for API Gateway, reachable only inside the VPC
• ALB target group that points at the VPC endpoint via its private DNS name
• A custom domain and certificate on API Gateway so hostnames line up correctly
• Akamai configured to send traffic to the ALB’s public DNS name

This gives you:

• No extra code to maintain
• No Lambda cold starts
• Cleaner cost model (ALB + API Gateway + data transfer)
• A configuration-driven architecture that network engineers and DevOps can reason about

The rest of this article walks through how to implement this step by step.

Architecture Diagram

[Internet Users]
       ↓
[Akamai CDN/WAF]
       ↓ (HTTPS to custom domain)
[Application Load Balancer]
  (public subnets)
       ↓ (HTTPS via target group)
[VPC Endpoint for API Gateway]
  (private subnets)
       ↓ (private network)
[API Gateway - Private Endpoint]
       ↓
[Backend Services/Lambda/etc]

Step 1: Configure Private API Gateway

First, create or convert your API Gateway to use private endpoints.

Key Configuration Points

1. Set endpoint type to Private when creating your API
2. Create a custom domain name in API Gateway (e.g., api.example.com)
3. Request an ACM certificate for your custom domain in the appropriate AWS region
4. Associate the custom domain with your API stages
5. Configure the resource policy to restrict access to your VPC endpoint

Resource Policy Example

Your API Gateway needs a resource policy that allows access only from your VPC endpoint:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:REGION:ACCOUNT_ID:API_ID/*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-xxxxxxxxxx"
        }
      }
    }
  ]
}

Replace REGION, ACCOUNT_ID, API_ID, and the VPC endpoint ID with your actual values.

Verification Checklist

• API Gateway is not publicly accessible
• API Gateway has a custom domain name with ACM certificate
• Resource policy restricts access to your VPC endpoint(s)
• Custom domain is mapped to the correct stage

Step 2: Create VPC Endpoint for API Gateway

Next, expose API Gateway privately inside your VPC via an interface endpoint.

Setup Steps

1. Go to VPC → Endpoints in the AWS console
2. Click Create Endpoint
3. Select AWS Services
4. Search for and select com.amazonaws.REGION.execute-api
5. Choose your VPC
6. Select private subnets where your ALB target group will route traffic
7. Create a security group for the VPC endpoint

Security Group Configuration

The VPC endpoint security group should:

• Allow inbound HTTPS (port 443) from the ALB security group
• Allow outbound traffic as needed for your use case

DNS Configuration

• Ensure Enable DNS name is checked when creating the endpoint
• Verify Private DNS is enabled for the VPC
• The endpoint will create private DNS entries that resolve inside your VPC

Important Details

• The VPC endpoint creates multiple ENIs (one per AZ you selected)
• Each ENI has a private IP address
• These IPs are what the ALB will route traffic to
• DNS resolution happens automatically within the VPC

Result: from within the VPC, you can reach your private API Gateway via the endpoint’s private DNS name.

Step 3: Set Up the Application Load Balancer

Now set up the ALB that will receive traffic from Akamai.

Create the ALB

1. Navigate to EC2 → Load Balancers
2. Click Create Load Balancer → Application Load Balancer
3. Name your ALB
4. Scheme: Internet-facing
5. Select public subnets (at least two AZs for high availability)

Configure HTTPS Listener

1. Add a listener on port 443
2. Select the ACM certificate for your public-facing domain (the one Akamai will call)
3. Default action: forward to your target group (created in next step)

Create Target Group for VPC Endpoint

This is the critical piece that replaces the Lambda proxy:

1. Target type: IP addresses
2. Protocol: HTTPS
3. Port: 443
4. VPC: Select your VPC
5. Health check: Configure to hit a valid API Gateway endpoint path

Register VPC Endpoint IPs as Targets

1. After creating the target group, click Register targets
2. Enter the private IP addresses of your VPC endpoint ENIs
3. Port: 443
4. Click Include as pending below and then Register

How to find VPC endpoint IPs:

• Go to VPC → Endpoints
• Select your API Gateway endpoint
• View the Network Interfaces tab
• Note the private IP addresses

ALB Security Group

Configure the ALB security group:

• Inbound: Allow HTTPS (443) from Akamai IP ranges or your CDN provider
• Outbound: Allow HTTPS (443) to the VPC endpoint security group

Target Group Settings

Key settings to configure:

• Target type: IP
• Protocol: HTTPS (not HTTP)
• Deregistration delay: 30 seconds (or appropriate for your use case)
• Health check protocol: HTTPS
• Health check path: Valid endpoint that returns 200 OK (e.g., /health)
• Healthy threshold: 2
• Unhealthy threshold: 2
• Timeout: 5 seconds
• Interval: 30 seconds

Step 4: Configure CNAME and Certificate Mapping

This step ensures proper hostname resolution and TLS termination throughout the chain.

Domain Setup

You need two domains properly configured:

1. Public domain (for Akamai → ALB): api.example.com
2. Internal/API Gateway custom domain: Could be the same or different

CNAME Configuration

In your DNS provider (Route 53, Cloudflare, etc.):

1. Create a CNAME record for your public API domain
2. Point it to your ALB DNS name (e.g., my-alb-123456.us-east-1.elb.amazonaws.com)
3. Example: api.example.com CNAME → my-alb-123456.us-east-1.elb.amazonaws.com

Certificate Requirements

You need two separate ACM certificates:

1. ALB certificate: For the public domain Akamai calls (api.example.com)

   • Requested in the same region as your ALB
   • Attached to the ALB HTTPS listener

2. API Gateway certificate: For the custom domain in API Gateway

   • Requested in the same region as your API Gateway
   • Attached to the API Gateway custom domain configuration

Why Two Certificates

• ALB terminates TLS from Akamai and re-encrypts to the VPC endpoint
• API Gateway expects TLS from the VPC endpoint with a valid certificate
• The ALB target group uses HTTPS (not HTTP) to talk to API Gateway
• Certificate validation happens at both layers

Host Header Considerations

Configure your ALB listener rule to pass through or rewrite the Host header appropriately:

• If using the same domain for both ALB and API Gateway custom domain, pass through unchanged
• If using different domains, configure a listener rule to rewrite the Host header to match the API Gateway custom domain

Step 5: Configure Akamai Origin

Finally, configure Akamai to route traffic to your ALB.

Akamai Property Configuration

1. Set the origin hostname to your ALB’s public DNS name or the CNAME you created
2. Configure origin SSL certificate verification if required
3. Set origin protocol to HTTPS
4. Configure appropriate caching rules based on your API behavior

Origin Settings

Key Akamai configuration:

• Origin Type: Your Customer Origin
• Origin Server Hostname: Your ALB DNS or CNAME (e.g., api.example.com)
• Forward Host Header: Depends on your setup—typically “Origin Hostname”
• IPv6: Enable if your ALB supports it
• TLS Version: TLS 1.2 or higher
• Certificate verification: Enable to verify ALB’s ACM certificate

Testing Akamai Configuration

Use Akamai’s staging network first:

1. Configure your property on Akamai staging
2. Add the Akamai staging hostname to your /etc/hosts file for testing
3. Make requests and verify they reach API Gateway correctly
4. Check ALB access logs and API Gateway logs for successful routing
5. Once verified, activate on production

Security Considerations

Security Group Rules

This architecture requires careful security group configuration:

ALB Security Group:

• Inbound: 443 from Akamai IP ranges
• Outbound: 443 to VPC endpoint security group

VPC Endpoint Security Group:

• Inbound: 443 from ALB security group only
• Outbound: As needed for API Gateway backend connectivity

API Gateway Resource Policy

The resource policy should restrict access to only your VPC endpoint:

"Condition": {
  "StringEquals": {
    "aws:sourceVpce": "vpce-xxxxxxxxxx"
  }
}

This ensures even if someone discovers your API Gateway ID, they cannot access it without going through the VPC endpoint.

Network Isolation

Benefits of this architecture:

• API Gateway is never exposed to the internet
• Traffic flows through multiple security layers (Akamai WAF, ALB, VPC security groups)
• No public DNS records point to API Gateway
• VPC endpoint restricts access to specific subnets

IAM and Authentication

Additional security layers you should consider:

• Use IAM authorization on API Gateway if accessing from Lambda or other AWS services
• Implement API key validation at API Gateway level
• Configure WAF rules on Akamai for DDoS protection and bot filtering
• Consider AWS WAF on ALB for additional protection layer

Troubleshooting Common Issues

Problem: 503 Service Unavailable from ALB

Cause: ALB cannot reach the VPC endpoint targets.

Solutions:

• Verify VPC endpoint ENI IP addresses are correctly registered as targets
• Check VPC endpoint security group allows inbound 443 from ALB security group
• Confirm VPC endpoint is in “available” state
• Verify target group health checks are passing
• Check ALB subnet route tables can reach VPC endpoint subnets

Problem: Certificate Validation Errors

Cause: Certificate mismatch between ALB or API Gateway domains.

Solutions:

• Verify ALB certificate matches the domain Akamai calls
• Confirm API Gateway custom domain certificate matches the Host header sent by ALB
• Check certificate is in the correct AWS region
• Ensure certificate is validated and active in ACM
• Verify Host header forwarding is configured correctly

Problem: API Gateway Returns 403 Forbidden

Cause: Resource policy is blocking the request.

Solutions:

• Check API Gateway resource policy allows your VPC endpoint ID
• Verify the VPC endpoint ID in the policy matches your actual endpoint
• Confirm the API stage is correctly mapped to the custom domain
• Test directly from within the VPC to isolate Akamai/ALB issues
• Check CloudWatch Logs for API Gateway to see exact error details

Problem: Target Health Checks Failing

Cause: Health check configuration doesn’t match API Gateway behavior.

Solutions:

• Ensure health check path exists and returns 200 OK
• Verify health check protocol is HTTPS (not HTTP)
• Check API Gateway has a valid endpoint at the health check path
• Confirm timeout and interval settings are appropriate
• Review API Gateway access logs to see if health checks are reaching it

Problem: Intermittent Timeouts

Cause: Backend processing time exceeds ALB timeout settings.

Solutions:

• Increase ALB idle timeout (default 60 seconds, max 4000 seconds)
• Check API Gateway integration timeout settings (max 29 seconds for Lambda)
• Review backend service performance and optimize slow endpoints
• Implement proper connection pooling and keep-alive settings
• Monitor CloudWatch metrics for TargetResponseTime

Cost Analysis

Understanding the costs of this architecture compared to alternatives.

Components and Pricing

Application Load Balancer:

• ALB hour: $0.0225/hour ($16/month)
• LCU (Load Balancer Capacity Unit): ~$0.008/LCU-hour
• LCU includes: new connections, active connections, processed bytes, rule evaluations

VPC Endpoint:

• Interface endpoint: $0.01/hour per AZ ($7/month per AZ)
• Data processing: ~$0.01/GB

API Gateway:

• Private API calls: ~$3.50 per million requests (first 333 million)
• Data transfer out: Standard AWS data transfer pricing

ACM Certificates:

• Public certificates: Free

Cost Comparison: This Pattern vs Lambda Proxy

Lambda Reverse Proxy Costs:

• Lambda invocations: ~$0.20 per million requests
• Lambda compute: ~$0.0000166667/GB-second
• Additional latency and cold starts
• Code maintenance overhead

This Pattern (ALB + VPC Endpoint):

• Fixed monthly cost for ALB and VPC endpoint
• No per-request Lambda charges
• Scales better at high request volumes
• Lower latency

Break-even analysis:

For APIs with high traffic (>1 million requests/month), the ALB + VPC endpoint pattern is typically cheaper because:

• Fixed infrastructure costs remain constant
• No per-invocation charges
• Better performance reduces timeouts and retries

For very low traffic APIs (<100K requests/month), a Lambda proxy might be marginally cheaper due to lower fixed costs.

Cost Optimization Tips

1. Use single VPC endpoint across multiple AZs instead of multiple endpoints
2. Right-size ALB by monitoring LCU usage and adjusting listener rules
3. Enable ALB access logs only when troubleshooting (S3 storage costs)
4. Use API Gateway caching to reduce backend calls
5. Configure Akamai caching aggressively to reduce origin requests

Performance and Latency

Real-world performance observations from production use.

Latency Breakdown

Typical request flow latency:

• Akamai → ALB: 10-30ms (depends on geographic distribution)
• ALB → VPC Endpoint: 1-3ms (in-VPC routing)
• VPC Endpoint → API Gateway: 1-2ms (private network)
• API Gateway → Backend: Varies by integration (Lambda, HTTP, etc.)

Total overhead: ~12-35ms before backend processing.

Comparison to Lambda Proxy Pattern

Lambda proxy adds:

• Cold start: 100-1000ms+ (depending on runtime and code)
• Warm invocation: 5-20ms (proxy code execution)
• Extra network hop: 2-5ms

The DNS-based pattern eliminates these overheads.

Throughput Considerations

This architecture can handle:

• Thousands of requests per second with proper ALB scaling
• Limited mainly by API Gateway quotas (10,000 RPS default per account per region)
• VPC endpoint bandwidth scales automatically

Monitor these CloudWatch metrics:

• TargetResponseTime (ALB)
• Count (API Gateway requests)
• Latency (API Gateway)
• 4XXError and 5XXError rates

When Lambda Might Still Make Sense

Despite advocating for the DNS/certificate approach, there are valid use cases for Lambda:

Request Transformation

If you need to:

• Rewrite request paths dynamically based on complex logic
• Transform payloads before reaching API Gateway
• Add custom headers or authentication tokens
• Implement complex routing logic that ALB listener rules cannot handle

Protocol Bridging

When you need to:

• Convert between different protocols (e.g., gRPC to REST)
• Handle WebSocket connections with custom logic
• Implement custom retry or circuit-breaker logic

Multi-Backend Routing

For scenarios with:

• Multiple API Gateway endpoints with complex selection logic
• Canary deployments with custom traffic splitting
• A/B testing requiring request inspection

In these cases, Lambda adds genuine value. For simple proxying, it is overkill.

Why This Pattern Excels

After operating this architecture in production for several months, the benefits were clear:

Simplicity: Configuration-driven, no custom code to maintain, easy to reason about.

Performance: Lower latency than Lambda proxy pattern, no cold starts, predictable behavior.

Cost-effective: At scale, fixed infrastructure costs beat per-invocation pricing.

Debuggable: Standard AWS networking tools (VPC Flow Logs, ALB access logs, API Gateway logs) cover the entire path.

Secure: Private API Gateway, multiple security layers, no public exposure.

Next Steps and Extensions

Once you have the basic pattern working, consider:

Monitoring and Observability

• Enable ALB access logs to S3 for traffic analysis
• Configure API Gateway logging to CloudWatch
• Set up CloudWatch dashboards for key metrics
• Create CloudWatch alarms for error rates and latency spikes
• Use AWS X-Ray for distributed tracing across components

High Availability

• Deploy ALB across multiple AZs
• Use multiple VPC endpoint ENIs (one per AZ)
• Configure cross-zone load balancing on ALB
• Implement health checks at every layer

CI/CD Integration

• Use CloudFormation or Terraform to define infrastructure as code
• Implement blue-green deployments for API Gateway stages
• Automate certificate renewal (ACM handles this automatically)
• Version control all configuration

Multi-Region Setup

For global applications:

• Deploy this pattern in multiple AWS regions
• Use Route 53 for geographic routing
• Configure Akamai to route to the nearest region
• Implement cross-region failover

Conclusion

You don’t need a Lambda reverse proxy to route ALB traffic to a private API Gateway endpoint. The CNAME + certificate + VPC endpoint pattern provides a simpler, faster, and more maintainable solution for most use cases.

This architecture proves that understanding fundamentals (VPCs, load balancing, DNS, certificates) matters more than advanced certifications. I built this with just Cloud Practitioner knowledge by focusing on solving the actual problem rather than over-engineering.

If you’re implementing a similar pattern, start simple: get the networking right, verify security groups, ensure DNS resolves correctly, and test thoroughly before adding Akamai into the mix. The result is a production-ready, scalable API architecture without unnecessary complexity.

Now go build your secure, performant API infrastructure—no Lambda proxy required.