Ho would you go about preventing the internal apis from getting accessed directly without routing requests through the api gateway?

We would like to enforce all requests to go through the api gateway only.

With Vert.x 3.5 there is a experimental service proxy interceptors feature and the only implemented one is a JWT interceptor:

https://github.com/vert-x3/vertx-service-proxy/blob/master/src/main/java/io/vertx/serviceproxy/ServiceBinder.java

https://github.com/vert-x3/vertx-service-proxy/blob/master/src/main/java/io/vertx/serviceproxy/ServiceJWTInterceptor.java

So you can then protect your service if the given JWT is valid. This was a very late adition to 3.5 and we haven't documented it properly that is why it is considered experimental at the moment.