update readme

packages/aws-cdk-lib/aws-apigateway/README.md

@@ -1496,6 +1496,20 @@ By performing this association, we can invoke the API gateway using the followin
 https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
 ```
 
+To restrict access to the API Gateway to only the VPC endpoint, you can use the `grantInvoke` method to [add resource policies](https://docs.aws.amazon.com/apigateway/latest/developerguide/private-api-tutorial.html#private-api-tutorial-attach-resource-policy) to the API Gateway:
+
+```ts
+declare const apiGwVpcEndpoint: ec2.IVpcEndpoint;
+
+const api = new apigateway.RestApi(this, 'PrivateApi', {
+  endpointConfiguration: {
+    types: [ apigateway.EndpointType.PRIVATE ],
+    vpcEndpoints: [ apiGwVpcEndpoint ]
+  }
+});
+api.grantInovke(apiGwVpcEndpoint);
+```
+
 ## Private Integrations
 
 A private integration makes it simple to expose HTTP/HTTPS resources behind an

packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts

@@ -465,19 +465,19 @@ export abstract class RestApiBase extends Resource implements IRestApi {
   }
 
   /**
-   * Add a resource policy that only allows API execution from an Interface VPC Endpoint to create a private API.
+   * Add a resource policy that only allows API execution from a VPC Endpoint to create a private API.
    *
-   * @param interfaceVpcEndpoint the interface VPC endpoint to grant access to
+   * @param vpcEndpoint the interface VPC endpoint to grant access to
    */
-  public grantInvoke(interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint): void {
+  public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void {
     this.addToResourcePolicy(new iam.PolicyStatement({
       principals: [new iam.AnyPrincipal()],
       actions: ['execute-api:Invoke'],
       resources: ['execute-api:/*'],
       effect: iam.Effect.DENY,
       conditions: {
         StringNotEquals: {
-          'aws:SourceVpce': interfaceVpcEndpoint.vpcEndpointId,
+          'aws:SourceVpce': vpcEndpoint.vpcEndpointId,
         },
       },
     }));