Port access mode configuration to block API calls from DMZ gateway

In deployment scenario with standard API GW in DMZ and advanced API GW in green zone, want to prevent calls to particular APIs via the external GW.

http://techcommunity.softwareag.com/pwiki/-/wiki/Main/Blocking%20Requests%20to%20Internal%20Services%20in%20an%20API%20Gateway%20DMZ%20Deployment is close to describing what I’m after but it focuses on IS-hosted services, not APIs.

The access mode of a port supports the good ol’ deny or allow by default, with a list of folders and services in the exception list. Looking for the same function at the API level. Am I missing something obvious or is it just not there? Don’t want APIs exposed to the outside world simply because they’ve been deployed to the internal API GW (auth can be applied to prevent access but want to support “internal only” APIs that may not have/need authenticated access.)

Any thoughts would be appreciated!