Use lambda (account A) to invoke vpc endpoint (account a) to call the private api (account b)

0

I have a lambda and a vpc endpoint in account a. I have configured the Lambda to be in the same vpc and subnets/security group as the VPC Endpoint. In account b, I have a private api, which I am trying to call from the lambda in account a.

In the code for my lambda, I am a bit confused when trying to invoke this. This is code from my lambda_handler function:

 headers = {
        'Host': f"{api_id}.execute-api.{region}.amazonaws.com",
        'x-apigw-api-id': api_id,
        'Content-Type': 'application/json'  # Set content type to JSON
    }

    # Extract the payload from the event
    payload = json.loads(event.get('body', '{}'))

    http = urllib3.PoolManager()
    
    try:
        # Make a POST request to the private API in Account B
        encoded_data = json.dumps(payload).encode('utf-8')
        response = http.request(
            'POST',
            vpce_url,
            body=encoded_data,
            headers=headers
        )
        
        # Check if the request was successful
        if response.status == 200:
            return {
                'statusCode': 200,
                'body': json.dumps({
                    'message': 'Request to private API was successful',
                    'data': json.loads(response.data.decode('utf-8'))
                })
            }
        else:
            return {
                'statusCode': response.status,
                'body': json.dumps({
                    'message': 'Failed to invoke private API',
                    'error': response.data.decode('utf-8')
                })
            }
    except Exception as e:
        return {
            'statusCode': 500,
            'body': json.dumps({
                'message': 'Error invoking private API',
                'error': str(e)
            })
        }

vpce_url is my vpc endpoint dns name in account a api_url is the invoke url for my private api in account b

I am unsure which I should be using to call the http.request with urllib3. I am also unsure if I am redirecting the vpce correctly to the private api by using the request headers, specifically Host and x-apigw-api-id.

1 Answer
0

Hello,

I think by correctly setting the Host or x-apigw-api-id header and using the vpce_url in the http.request call, your Lambda function should be able to invoke the private API Gateway in Account B through the VPC Endpoint in Account A.

Enter image description here

References:

  1. https://docs.aws.amazon.com/whitepapers/latest/best-practices-api-gateway-private-apis-integration/rest-api.html#sample-architecture-patterns
  2. https://aws.amazon.com/blogs/compute/understanding-vpc-links-in-amazon-api-gateway-private-integrations/
  3. https://aws.amazon.com/blogs/compute/architecture-patterns-for-consuming-private-apis-cross-account/
profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions