When working on internal networks, particularly within a VPC, developers often encounter the need to interact with a private API gateway. A common scenario is when a network resource, which must make non-internet HTTPS calls without involving the AWS API, requires access to a specific lambda function. While using the API gateway assigned hostname is an option, opting for a private DNS name can provide a more consistent approach across environments.

According to the AWS Documentation: "Custom domain names are not supported for private APIs."
However, there is a simple hack to get this to work.

TL;DR; Architecture

Full Solution

1. On the VPC, create a "execute-api" VPC endpoint for API Gateway
2. On API Gateway, create a private REST API and all necessary/ resource methods. Create a resource policy that only allow access through the VPC Endpoint
3. On the VPC Endpoints, explore the Subnets section of the VPC endpoint created in step 1 and grab the IPs
4. Create a TLS target group using the IPs from step 3.
5. Create a TLS internal NLB, using the target group from step 4.
6. Create a custom domain name in API Gateway (Regional type) but point it to the private API gateway.
7. On Route53, configure a private zone attached to the same VPC with a CNAME record that points to the NLB DNS address.

Once this is done, it should work. I have done this many times in different projects but keep forgetting about it, so I figured it was a good time to document it to be useful for someone else.