Amazon API Gateway Proxy - VPC Endpoint - NLB - Private DNS - Self-signed SSL
I'm trying to set up an API Gateway as a simple proxy, using the Proxy option. The back-end is a REST API endpoint hosted by an NLB with a self-signed SSL certificated generated by ACM.
API Gateway -> Proxy Integration -> VPC Endpoint -> (HTTPS) NLB -> Internal APIs hosted by EC2s.
SSL certificate was created by ACM using Private CA with self-signed Certificate, with common name as: api.example.local (intended to be local and private DNS).
Route 53 has a Private Hosted Zone record:
example.local with an ALIAS Record: api.example.local -> NLB URL
When I create the API Gateway Proxy Configuration:
Integration Type: VPC_PROXY
Use Proxy Integration = enabled (checked)
VPC endpoint = selected the NLB VPC endpoint
Endpoint URL: WHEN PUT IN: https://api.example.local/{proxy}
It gives error: Invalid HTTP endpoint specified for URI
Looks like the API Gateway is NOT able to resolve the R53 Private DNS name (api.example.local).
Is this expected? What is the right way to setup a Private NLB SSL Certs and a Private DNS name for the NLB for API gateway to passthrough? Is it possible or the NLB has to have a Public DNS name to work?
- Newest
- Most votes
- Most comments
You don't mention you're using VPC Link for API Gateway HTTP APIs, or API Gateway REST APIs (it's not essential to know but it would narrow down the responses somewhat).
But for both of those you don't need to resolve the NLB DNS name - you configure API Gateway to point directly to the NLB you have already configured. For REST APIs you create a VPC Link per NLB; for HTTP APIs you create a VPC Link per VPC and then in each integration you select the appropriate NLB.
I'm not sure if this is the question you're asking - I would test this first without private certificates (to see if the private certificates are the problem or there is another issue) and then once you have it working, add additional layers.
Maybe something related to this. Can I have DNS alias A record for created NLB in such scenario and use that alias in private API Gateway Integration as endpoint URL instead of the default NLB domain name? If I do so I have error "Invalid HTTP endpoint specified for URI". Is it supported? To give more context: behind NLB I have target group with ALB with a private certificate from on-premise self hosted CA. But I configured tlsConfig with insecureSkipVerification set to true in x-amazon-apigateway-integration for that endpoint. So I guess such private cert should be accepted then?
I got the same error. It seems that API Gateway only accept existing TLDs even if you defined private zones in Route53. You can hit .dev, .qa but not .local or .prod
Relevant content
- asked a year ago
- asked 6 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
Is this a repeat of the question or an answer? If you try to answer whether with the tlsConfig using insecureSkipVerification = T can work, what is your verification result? Does it work? I felt the first step of Private DNS resolution in this scenario seems not working, not even get to the https tls handshaking state. Also, insecureSkipVerification is usually not recommended, although the integration endpoint is private and possibly owned by API owner.