I have an AWS REST API Gateway configured with mTLS and a custom domain. This works like a charm. Now, I want to use the AWS Route53 HealthChecks that are hitting the /health endpoint of my gateway. I don't know how to make healthchecks aware of the fact that the gateway is behind mTLS and my configured healthchecks always fail.
I tried enabling the default endpoint from my gateway just to expose that /health endpoint but I can't pick that solution even though it works. Exposing the default endpoint is basically opening my entire API for unauthed traffic.
I also tried to make a non-mTLS /health endpoint in my gateway but it seems like mTLS is a per gateway(per custom domain) setting and it can not be disabled just for one endpoint.
Any thoughts how can I solve my issue? Thanks in advance.
It doesn't look possible to use mTLS with Route53 Health Checks. You could instead use Amazon CloudWatch Synthetics to perform your health checks, which is more flexible because it allows you to specify your own script to perform the health check. The runtime environment for CloudWatch Synthetics is a bit limited, but you can embed your mTLS certificate as a PEM format string in your health check script.
Otherwise, you might consider performing health checks against the underlying service(s) that your API Gateway sends traffic to, instead of performing health checks against API Gateway itself.