When you create a private gateway API, you can contact it through the DNS name, but it is resolves only in your VPC with a VPC Endpoint with Private DNS enabled.

For contact the API Gateway on-premise, we create an internal ALB in the same AZs and that points to to the IP addresses of the ENIs for the VPC Endpoint. (We can find this ip address in the network interface of API Gateway Endpoint)

We create an HTTPS listener with your desiderate certificate and a target group with Target type IP with protocol HTTPS ( set the health check protocol to HTTPS). In health check settings choose as success code 200.

Insert the A entry we want to use to contact the API Gateway, for example execute-api.com, and in the Alias specify the Load Balancer.

Request an ACM Certificate for the same domain name (it must be in the same region of API Gateway) and validate it.

Now we can create a custom domain in API Gateway for resolve the message {“message”:”Forbidden”}. Choose HTTP protocol, inser the domain name, Regional Endpoint, the our CM.

Now try to connect to the ALB again, and it’s work!

AWS Certified Solutions Architect Official Study Guide: https://amzn.to/2HQ0UM4

AWS Certified Solutions Architect Associate Practice Tests: https://amzn.to/2T9APwz