Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I troubleshoot "400 Bad Request" errors in an API Gateway private integration?
I get an "400 Bad Request" error when I call my API with private integration in Amazon API Gateway.
Resolution
The "400 Bad Request" error occurs when there are configuration issues with an API Gateway private integration.
HTTP APIs
Load balancers configured on an HTTPS or TLS listener
By default, private integrations for HTTP APIs use the HTTP protocol. If you have an HTTPS or TLS listener configured, then the Application Load Balancer or Network Load Balancer expects HTTPS requests instead of HTTP requests. This results in the following error:
"400 Bad Request. The plain HTTP request was sent to HTTPS port."
For an HTTPS or TLS listener, you must specify a server name in the TLS configuration. To configure the HTTPS protocol, complete the following steps:
- Record the domain name of the internal Application Load Balancer or Network Load Balancer.
- Open the API Gateway console.
- Open the API's integration settings to edit the configuration.
- Use the domain name from step 1 to specify the server name for the TLS configuration.
- (Optional) If you turned off automatic deployments, then redeploy the API.
Desync migration mode is set to strictest
HTTP APIs allow for private integration or virtual private cloud (VPC) link integration to use an Application Load Balancer. If your Application Load Balancer's desync mitigation mode is set to strictest when your API Gateway is correctly configured, then you receive the following error:
"400 Bad Request."
Desync mitigation mode protects your application from issues caused by HTTP desync. For more information, check DesyncMitigationMode_NonCompliant_Request_Count for the Application Load Balancer metric.
To turn off desync mitigation mode, complete the following steps:
- Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
- In the navigation pane, choose Load Balancers, and then select the Network Load Balancer you want to edit.
- Choose Actions, and then choose Edit load balancer attributes.
- For Packet handling, choose Defensive.
- Choose Save changes.
REST APIs
Network Load Balancers configured with a TLS listener expect HTTPS requests from the upstream service. If you specify the HTTP URL as an integration endpoint URL in the REST API configuration, then requests fail with the following error:
"400 Bad Request. The plain HTTP request was sent to HTTPS port."
To configure the HTTPS protocol, complete the following steps:
- Open the API Gateway console.
- Open the API's integration settings to edit the configuration.
- Modify the endpoint URL to use https:// instead of http://.
- Redeploy the API.
Important: When endpoint URL changes apply to HTTPS, make sure to use the same domain name that you used when you configured the TLS listener.
Related information
How do I integrate an API Gateway REST API with an Application Load Balancer?
How can I delete an Amazon VPC link for my Amazon Gateway REST API?
- Language
- English
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
