Private APIGateway failing health checks from Target Group

Question

I have a Private, Regional, Restful API, sitting on the AWS APIGateway for the account. 
Additionally, I have an ALB in it's own VPC, with IP target groups that I am trying to connect to these VPC Endpoints.
Following the below:
https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/

I have created a VPC Endpoint for the execute-api service, but the target groups are always unhealthy.

I have put an EC2 instance in the same VPC as the ALB, and perform:
curl -vk GET https://.execute-api.ap-southeast-2.amazonaws.com/prod/health, it returns 200, if i do 
 curl -vk https:///prod/health it return 403. Both as expected.

I have set the target group health check status to be 200,403.

Any advice?

Answer

Hello.

I think the explanation below is probably relevant.  
https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/  
> Note: ALB will be validating the health of API gateway by sending HTTPS requests to IP addresses of VPC endpoints. API Gateway will respond with the 403 code (access forbidden), as ALB will not be providing the correct domain name and stage URL during the health check probes.

Did you set "Matcher" to 403 in the target group health check settings?  
I think the health check will be successful if you set "Matcher" (Success Code) to 403 as per the above document.  
Also, do you ever get a status code returned from API Gateway that is different from the status code expected in the health check?  
For example, if I specify the status code as "200-499", will it succeed?  
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html

Private APIGateway failing health checks from Target Group

Contenus pertinents