CloudFront - API Gateway as Reverse HTTP Proxy to CloudFront - ALB - EC2

0

I'm trying to set up an API Gateway as a simple proxy, using the Proxy option. The back-end is a endpoint hosted by an Cloudfront as reverse proxy for ALB + application running on EC2.

User -> Cloudfront -> API Gateway Proxy Integration -> CLoudFront -> ALB -> Internal APIs hosted by EC2s. Cloudfront and API gw proxy located is in AWS account A and CloudFront + ALB + EC2 is located in account B.

When I use API gateway console to test method, request hits the targeted internal api without any problem. Test execution log:

Execution log for request 849015fb-12c9-4619-bc96-363ecb6e9e94
Fri Nov 18 17:33:08 UTC 2022 : Starting execution for request: 849015fb-12c9-4619-bc96-363ecb6e9e94
Fri Nov 18 17:33:08 UTC 2022 : HTTP Method: POST, Resource Path: /api/v2/test/apply
Fri Nov 18 17:33:08 UTC 2022 : Method request path: {}
Fri Nov 18 17:33:08 UTC 2022 : Method request query string: {}
Fri Nov 18 17:33:08 UTC 2022 : Method request headers: {}
Fri Nov 18 17:33:08 UTC 2022 : Method request body before transformations: 
Fri Nov 18 17:33:08 UTC 2022 : Endpoint request URI: https://example.com/ext/v2/test/apply
Fri Nov 18 17:33:08 UTC 2022 : Endpoint request headers: {x-amzn-apigateway-api-id=u041f78dig, User-Agent=AmazonAPIGateway_u041f78dig, X-Custom-Header=xxx}
Fri Nov 18 17:33:08 UTC 2022 : Endpoint request body after transformations: 
Fri Nov 18 17:33:08 UTC 2022 : Sending request to https://example.com/ext/v2/test/apply
Fri Nov 18 17:33:08 UTC 2022 : Received response. Status: 400, Integration latency: 55 ms
Fri Nov 18 17:33:08 UTC 2022 : Endpoint response headers: {Content-Length=0, Connection=keep-alive, Date=Fri, 18 Nov 2022 17:33:08 GMT, Server=nginx, X-Custom-Header=4100adeb, X-Cache=Error from cloudfront, Via=1.1 c022ca80d7b946eb138dfd2e55c98980.cloudfront.net (CloudFront), X-Amz-Cf-Pop=IAD12-P4, X-Amz-Cf-Id=xxx}
Fri Nov 18 17:33:08 UTC 2022 : Endpoint response body before transformations: 
Fri Nov 18 17:33:08 UTC 2022 : Method response body after transformations: 
Fri Nov 18 17:33:08 UTC 2022 : Method response headers: {Content-Length=0, Connection=keep-alive, Date=Fri, 18 Nov 2022 17:33:08 GMT, Server=nginx, X-Custom-Header=4100adeb, X-Cache=Error from cloudfront, Via=1.1 c022ca80d7b946eb138dfd2e55c98980.cloudfront.net (CloudFront), X-Amz-Cf-Pop=IAD12-P4, X-Amz-Cf-Id=xxx}
Fri Nov 18 17:33:08 UTC 2022 : Successfully completed execution
Fri Nov 18 17:33:08 UTC 2022 : Method completed with status: 400

You can count 400 as success, because it returned from internal api running on EC2.

When I'm trying to invoke cloudfront-account-a.com/api/v2/test/apply I'm getting 403 error from CF with the following headers:

access-control-allow-origin: *
access-control-expose-headers: *
content-length: 915
content-type: text/html
date: Fri, 18 Nov 2022 17:11:43 GMT
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000
via: 1.1 a27022837959b6f70545c8d6d0de9d04.cloudfront.net (CloudFront), 1.1 f0f1092b2ad1f0e573a4fcbefe4fb620.cloudfront.net (CloudFront), 1.1 6bc1c280aeef9bbdeb102c7f4e4f773e.cloudfront.net (CloudFront)
x-amz-apigw-id: xxx
x-amz-cf-id: xxx
x-amz-cf-pop: IAD12-P4
x-amz-cf-pop: IAD79-C1
x-amz-cf-pop: IAD89-C1
x-amzn-remapped-connection: keep-alive
x-amzn-remapped-content-length: 915
x-amzn-remapped-date: Fri, 18 Nov 2022 17:11:43 GMT
x-amzn-remapped-server: CloudFront
x-amzn-requestid: 4d928828-e650-492f-b165-0654c97acab5
x-cache: Error from cloudfront
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

What I'm doing wrong? Is it even possible to proxy request in the way I'm trying to do?

1 Answer
0

There could be multiple reasons why you are observing 403 error from the AWS Cloudfront, it is required to view the complete error message you are getting for the Curl test and also the Cloudfront and API gateway configuration in order to further understand the error. Please find the below document which explains on troubleshoot to HTTP 403 errors from API Gateway and 403 errors from CloudFront:

Also third party document with similar error : https://stackoverflow.com/questions/49808921/aws-cloudfront-api-endpoint-responding-with-forbidden403

Having shared the above, to answer your question and assist you in right direction, we require details that are non-public information. Please open a support case with AWS using the following link https://console.aws.amazon.com/support/home#/case/create

SUPPORT ENGINEER
answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions