Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Why do I get an HTTP 403 Forbidden error when I connect to my API Gateway APIs from a VPC?
I get an HTTP 403 Forbidden error when I call my Amazon API Gateway API from my virtual private cloud (VPC).
Short description
The HTTP 403 Forbidden error occurs when you turn on DNS for an API Gateway interface VPC endpoint that's associated with a VPC. In this case, all requests from the VPC to API Gateway APIs resolve to that interface VPC endpoint. However, you can't use a VPC endpoint to connect to public APIs.
The private DNS name of a VPC endpoint is in the format *.execute-api.exampleRegion.amazonaws.com, where the * character is a placeholder for the API ID. This format matches the API Gateway default invoke URL for public and private APIs.
When a private DNS is turned on for a VPC endpoint, the API's invoke URL is covered by the private DNS name. When a DNS query resolves for a public API from inside a VPC, the DNS points to the private IP of the associated VPC endpoint. Then, the API call is routed to the public API through the VPC endpoint instead of through the internet. Because VPC endpoints can route traffic only to private APIs, the result is an HTTP 403 error.
You also get a 403 error when you use the default execute-api invoke URL to connect to private APIs from on-premises with AWS Direct Connect.
Resolution
Confirm that a private DNS is turned on for an interface VPC endpoint that's associated with your VPC
Check your VPC to see if there's an interface VPC endpoint to access a private API. If there's an interface endpoint, then check to see if the private DNS settings are turned on. For more information, see DNS attributes for your VPC.
Connect to public APIs with private DNS turned on
If private DNS is turned on, set up edge-optimized custom domain names or Regional custom domain names to connect to your public APIs.
If the clients connect from on-premises network, set up an Amazon Route 53 Resolver inbound endpoint. To use the execute-api invoke URL, forward all the private DNS queries from your remote network to the inbound endpoint.
Important: Your VPC resources must have internet connectivity to connect to your public APIs. Also, use A type alias records to configure DNS records for a Regional custom domain name. However, use either A type alias records or CNAME records for edge-optimized custom domain names.
Connect to public APIs when private DNS isn't turned on
- Security groups for your VPC allow outbound traffic to your public API
- The resource policy attached to your API doesn't deny access from the VPC
If your VPC has permission to access your public APIs, then use public DNS to connect to your public APIs. For more information, see Control and manage access to REST APIs in API Gateway.
(Optional) Change the private DNS setting for an interface VPC endpoint
You can change the private DNS setting for an interface VPC endpoint at any time. Changes to this setting affect the resolution of an API stage URL to the private IP of the interface VPC endpoint.
To change the private DNS setting for an interface VPC endpoint, complete the following steps:
- Open the Amazon VPC console.
- Open the Endpoints pane.
- Select your interface VPC endpoint.
- Choose Actions, and then choose Modify Private DNS names.
- For Enable Private DNS Name, select or clear the Enable for this endpoint check box.
- Choose Modify Private DNS names.
Note: Changes to the private DNS setting affect how users can connect to private APIs and public APIs from a VPC.
For more information, see View and update DNS attributes for your VPC.
Related information
We had the same problem in our company for a whole journey and I find this article that resolve the problem. Big Thanks
Relevant content
- asked 6 years ago
- asked 10 months ago
asked 2 years ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
