I'm setting up a private API Gateway with a single endpoint with a proxy integration to a lambda that echoes the entered path parameter. When testing this API in the console everything works as intended. The resource policy for the API Gateway is set up as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:<region>:<account-id>:<api-gateway-id>/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:<region>:<account-id>:<api-gateway-id>/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "<vpc-id>"
}
}
}
]
}
I've also set up a VPC Endpoint in my VPC. The endpoint is connected to one subnet in each AZ. The security group for the VPCE is set up to allow inbound TCP traffic on port 443 (HTTPS) from anywhere and all outbound traffic to anywhere. The endpoint has Private DNS Names Enabled set to true. The policy is set to allow full access.
The API Gateway was created via the console and I associated the VPCE to the API Gateway when I created the API Gateway. I've also later disassociated and reassociated the the VPCE to the API Gateway via the console. I've also associated the VPCE to the API via cli.
My problem is that when I'm now trying to access the endpoint that I set up in my private API Gateway via curl from an EC2 in one of the subnets associated with the VPCE, I get a 403 response with body {"message":"forbidden"}. I'm using the first two dns listed under DNS names in the Details pane for my VPCE.
I have also tried using the private dns (https://<api-gateway-id>.execute-api.<region>.amazonaws.com). That results in a "Could not resolve host:" response. This is a second or alternative problem as the VPCE has Private DNS Names set to enabled and should work if I've understood it correctly.
So far some of the things I've tried:
I've tried with and without the stage name as the initial path.
I've removing the Resource policy from the API Gateway and I've tried removing the Deny-part of it. I've also tried with a Deny-part with VPCE instead of VPC.
The troubleshooting guide at Link: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-private-endpoint-connection/ indicates that it might be the resource policy but I haven't been able to figure it out.
One thing I've noticed is that after associating the VPCE to my API Gateway it shows in the list in the console. However, when I use the aws get-rest-api command in the console, the VPCE is not listed in the endpointConfiguration like is shows in the response here: Link: https://docs.aws.amazon.com/apigateway/latest/developerguide/associate-private-api-with-vpc-endpoint.html
Is it the resource policy that is wrong or is it something else I'm missing?
Thanks in advance
Edited by: frlo on Jan 20, 2020 1:36 AM
AWS OFFICIALUpdated a year ago
