VPC endpoint to reach Beanstalk application associated with a public domain from within VPC

I have a web server running on Beanstalk that is associated with mydomain.org on Route53. The access to this web server is restricted by a security group. I have also a Lambda running in the same VPC, specifically in a private subnet with NAT gateway, that needs to call this webserver. The problem is that the call mydomain.org/api/dostuff from the Lambda goes out on the public internet instead of remaining inside the VPC, so the only way to make this call work without timeout is to whitelist the NAT public IP in the security group.

I would like instead to keep the call inside the VPC, so I have created a VPC endpoint for Elastic Beanstalk and the subnet used by Lambda, thinking that the DNS resolver would keep the traffic inside the VPC but this is not happening. The call still goes to the public internet.

Any idea how can I keep the traffic inside the VPC while still using the public domain mydomain.org associated with the web server?

If you are addressing the Beanstalk instance by its domain name it will resolve to the public IP, which will probably route the traffic via the public zone. This isn't exactly the internet but it's charged like it is.

Two possible solutions:

• Have the lambda address the beanstalk instance by its private IP (EC2 private IPs don't change). If your EC2 instance(s) scale, are replaced or you're using a load balancer this won't work
• Set up a Route53 private hosted zone and override the domain name for the VPC so it resolves to the private IP. This should work in more cases, though there's a chance the DNS entry may need to be updated after a deployment depending how you have beanstalk set up.