I have configured the API Gateway with a lambda function. The lambda function is in a VPC with private subnets. I have also attached an internet gateway to the VPC with a route table routing all traffic to the internet gateway. From what I understand, I still shouldn't be able to access any of the API endpoints, as the lambda function is in a private subnet and needs a NAT gateway between the internet gateway and private subnets.
However, with the security group assigned to the lambda function allowing incoming traffic, I am able to access all endpoints.
API Gateways are used for Inbound communication, whereas NAT Gateway is used for outbound communication.
Hence for inbound traffic, once you configure the API Gateway routing to lambda, with appropriate security policy, you can access the api.
For outbound communication, your Private service needs to access NAT gateway which will route traffic to Internet gateway and further out to the internet.