I'm trying to come up with an AWS architecture that guarantees two secure connections: one between the API Gateway and the client's on-premises data center and the second one between the same API Gateway and a third party WebApp that lays on Internet.
Regarding the first connection I was following this AWS documentation (Integrating Amazon API Gateway private endpoints with on-premises networks):
Note that API Gateway uses Private Endpoints and an integrated Lambda function that will communicate with other AWS services inside of the same VPC.
Now my question is: how can I create a connectivity between the same API Gateway and an external third party WebApp that lays on Internet?
I was thinking to this architecture but I would like to have an opinion:
Basically outbound connectivity is guaranteed by NAT Gateway inside a public subnet, while inbound connectivity is guaranteed by Application Load Balancer inside the same public subnet. The connectivity between the public subnet and Internet webApp is over HTTPS (where the TLS certificate will be managed by AWS Certificate Manager ACM).
Could you please tell me if this architecture makes sense?
