While preparing for the AWS SAA-C03, many candidates get confused by API Gateway custom domain configuration and ACM certificate region requirements. In the real world, this is fundamentally a decision about endpoint type selection and understanding AWS regional service dependencies. Let’s drill into a simulated scenario.
The Scenario #
GlobalTech Solutions has registered their corporate domain globaltech-api.com in Amazon Route 53. Their engineering team operates a microservices architecture in the ca-central-1 region, where Amazon API Gateway serves as the public-facing interface for backend services. External partner organizations consume these APIs for payment processing, inventory synchronization, and order fulfillment.
The CTO wants to replace the default API Gateway URL (e.g., https://abc123xyz.execute-api.ca-central-1.amazonaws.com/prod) with a branded custom domain (api.globaltech-api.com) and ensure all third-party services can connect securely via HTTPS with a trusted SSL/TLS certificate.
Key Requirements #
Configure a custom domain for API Gateway with proper HTTPS certificate management while maintaining regional deployment in ca-central-1.
The Options #
-
A) Create an API Gateway stage variable named
Endpoint-URLwith the value set to the company domain to override the default URL. Import the public key certificate associated with the company domain into AWS Certificate Manager (ACM). -
B) Create a Route 53 DNS record with the company domain name. Point an alias record to the regional API Gateway stage endpoint. Import the public key certificate associated with the company domain into ACM in the us-east-1 region.
-
C) Create a regional API Gateway endpoint. Associate the API Gateway endpoint with the company domain. Import the public key certificate associated with the company domain into ACM in the same region (ca-central-1). Attach the certificate to the API Gateway endpoint. Configure Route 53 to route traffic to the API Gateway endpoint.
-
D) Create a regional API Gateway endpoint. Associate the API Gateway endpoint with the company domain. Import the public key certificate into ACM in the us-east-1 region. Attach the certificate to the API Gateway API. Create a Route 53 DNS record with the company domain, pointing an A record to the company domain.
Correct Answer #
C.
Step-by-Step Winning Logic #
API Gateway custom domains require strict regional alignment between three components:
- API Gateway Regional Endpoint: Deployed in ca-central-1
- ACM Certificate: Must be in the same region as the API Gateway endpoint (ca-central-1) for regional endpoints
- Route 53 Alias Record: Points to the custom domain endpoint created by API Gateway
Why Option C wins:
- ✅ Creates a regional endpoint (lowest latency for ca-central-1 traffic)
- ✅ Certificate imported into ca-central-1 (same region as API Gateway)
- ✅ Proper association workflow: Domain → Certificate → API Gateway
- ✅ Route 53 correctly configured as the final DNS resolution layer
The critical distinction: For regional API Gateway endpoints, ACM certificates must exist in the same AWS region. Only edge-optimized endpoints require certificates in us-east-1 (because they use CloudFront under the hood).
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
-
Why not Option A?
Stage variables are for managing configuration differences between deployment stages (dev/test/prod), not for domain customization. You cannot “override” the API Gateway URL with a stage variable—AWS doesn’t expose this mechanism. Additionally, just importing a certificate without associating it with a custom domain configuration accomplishes nothing. -
Why not Option B?
The us-east-1 certificate trap! This is the most dangerous distractor. While us-east-1 is required for edge-optimized API Gateway endpoints (because they leverage CloudFront), the scenario explicitly operates in ca-central-1 with a regional endpoint. A certificate in us-east-1 cannot be attached to a ca-central-1 regional endpoint. This option would fail during the custom domain creation step with a certificate validation error. -
Why not Option D?
Multiple fatal flaws:
- Certificate in us-east-1 (wrong region for regional endpoints)
- “A record pointing to the company domain” is circular logic (an A record must point to an IP address or use an alias to another AWS resource)
- The DNS configuration is technically malformed
The Architect Blueprint #
graph TD
User([Third-Party API Consumer]) -->|DNS Query: api.globaltech-api.com| R53[Route 53 Hosted Zone]
R53 -->|Alias Record| APIGW_Custom[API Gateway Custom Domain
api.globaltech-api.com
ca-central-1]
APIGW_Custom -->|TLS Handshake| ACM[ACM Certificate
*.globaltech-api.com
ca-central-1]
APIGW_Custom -->|Routes to| APIGW_Stage[API Gateway Stage
/prod]
APIGW_Stage -->|Invokes| Lambda[Backend Microservices
Lambda/ECS/EC2]
style APIGW_Custom fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
style ACM fill:#DD344C,stroke:#232F3E,stroke-width:2px,color:#fff
style R53 fill:#8C4FFF,stroke:#232F3E,stroke-width:2px,color:#fff
Diagram Note: The Route 53 alias record points to the API Gateway custom domain endpoint, which uses the ACM certificate from the same region (ca-central-1) to terminate TLS before routing requests to the API stage.
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always remember: Regional API Gateway endpoints require ACM certificates in the same region. Edge-optimized endpoints always use us-east-1 certificates (due to CloudFront integration). When you see a specific region mentioned (like ca-central-1), it’s signaling a regional endpoint.”
Real World #
In production environments, you’d also consider:
- Edge-Optimized vs. Regional Trade-off: If most API consumers are global (not regional), an edge-optimized endpoint with CloudFront caching might reduce latency despite the us-east-1 certificate requirement.
- Certificate Automation: Use ACM’s DNS validation with Route 53 for automatic certificate renewal instead of importing certificates manually.
- Multi-Region API Strategy: For high availability, you might deploy API Gateway in multiple regions with Route 53 health checks and failover routing—requiring certificate replication to each region.
- Private API Gateway: For internal-only APIs, consider private API Gateway with VPC endpoints to eliminate internet exposure entirely (custom domains still supported via Route 53 private hosted zones).
- Cost Consideration: Custom domain names themselves have no additional cost, but edge-optimized endpoints incur CloudFront data transfer charges that regional endpoints avoid for same-region traffic.
The certificate region mistake is one of the most common production issues I’ve debugged—teams waste hours troubleshooting “certificate not found” errors simply because they imported it to us-east-1 by habit (since that’s required for CloudFront and many global services).