The correct answer is: Introduce an interface VPC endpoint for API Gateway to enable private API calls within the VPC.

Private APIs in Amazon API Gateway are designed to be accessed only from within your VPC. However, by default, calls between private APIseven when hosted in the same VPCmay still use the public internet unless configured otherwise. To keep traffic within the VPC and maintain private connectivity between services, an interface VPC endpoint must be provisioned for API Gateway. This ensures that the ExecuteTrade API can securely call the ValidateBalance API using private IP addresses, without routing traffic externally. Importantly, this change does not require modifications to the application codeonly the endpoint configuration and DNS settings need to be updated.

The option to attach an API key header to authorize requests between the services is unrelated to network routing. While API keys can help control access, they dont influence whether traffic travels over the internet or stays within a VPC.

The suggestion to set up a gateway VPC endpoint to redirect traffic between the APIs locally is invalid because gateway endpoints are only available for S3 and DynamoDB. They cannot be used for API Gateway or other AWS services. This is a common misunderstanding among candidates.

The choice to place an Amazon SQS queue between the two services to decouple and route requests internally introduces unnecessary complexity and architectural change. While this could enable asynchronous communication, it requires code modifications to handle message queues, which goes against the requirement to minimize code changes.

This question is important because it tests your understanding of how AWS networking components like VPC endpoints interact with services like API Gateway. It also evaluates your ability to secure internal communication paths in cloud-native applications. Candidates often confuse interface and gateway endpoints, or overlook that private APIs still need a VPC endpoint for internal routing to work.

To tackle these types of questions effectively, remember that interface endpoints support a wide range of servicesincluding API Gatewayand are the go-to option for enabling private access from within a VPC. When asked to reduce internet exposure or enforce internal traffic without changing application logic, interface endpoints are often the correct solution.

Full AWS Practitioner Certification Question