By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access to private api gateway REST between regions

0

Hello,

Wondering if is possible to share a Private REST API Gateway between accounts in different regions.

Account A owns API Gateway us-east-1 Account B, sa-east-1, must have access this Private API Gateway in Account A.

Is this possible?

I already tried with VPC endpoints and adjusting the gateway resource policy and vpc endpoint policy

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
Jose Vicente
asked 11 days ago86 views
3 Answers
1
Accepted Answer
  1. VPC Peering: Establish a VPC peering connection between the VPC in us-east-1 (Account A) and the VPC in sa-east-1 (Account B). This connection will allow networking communication between the two VPCs across regions.
  2. Update Route Tables: After setting up the VPC peering connection, you'll need to update the route tables in both VPCs to route the relevant API traffic through the peering connection.
  3. API Gateway Resource Policy: Modify the resource policy of the API Gateway in Account A to allow access from Account B. This involves specifying the VPC endpoint of the Account B VPC as an allowed source.
  4. VPC Endpoint for API Gateway: You mentioned that you already tried with VPC endpoints. Ensure that you have set up a VPC endpoint in Account B’s VPC for accessing the API Gateway service. This endpoint should be configured to connect to the API Gateway in Account A through the VPC peering connection.
  5. Endpoint Policy and Security Groups: Adjust the endpoint policy on Account B’s VPC endpoint to allow connections to the specific API Gateway in Account A. Also, review the security group settings to ensure that traffic is allowed on the necessary ports from Account B’s VPC endpoint.
  6. DNS Resolution: Make sure that DNS resolution is configured to properly resolve the endpoint of the API Gateway across the VPC peering connection. You might need to enable DNS resolution and DNS hostnames in both VPCs if not already enabled.
  7. IAM Permissions: Ensure that the IAM roles and policies in Account B have the necessary permissions to access the API Gateway in Account A.
profile picture
EXPERT
Oleksii Bebych
answered 10 days ago
profile picture
EXPERT
Artem
reviewed 10 days ago
0

I'm missing something at DNS Resolution. Both VPC have DNS resolution enabled and VPC peering allowing DNS resolution across the connection. Account B can't resolve the DNS name of the API Gateway.

Jose Vicente
answered 10 days ago
0

It worked! I was using a wrong endpoint name.

Changed to this worked fine! https://{api-id}-{vpce-id}.execute-api.us-east-1.amazonaws.com/{stage}

Jose Vicente
answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content