Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Specify Host Header when invoke a custom domain name for private API

0

My questions are:

  1. When invoke a private custom domain name for private APIs, is it the default behavior of a private API to always require a host header with the id of the API? (Developer Guide doesn't seem to state that)
  2. If the above is true, is there a workaround to invoke private custom domain name for private APIs without having to specify the Host header.

Background information: I have created a private API using the below instructions. https://docs.aws.amazon.com/apigateway/latest/developerguide/private-api-tutorial.html

As Amazon API Gateway now supports Custom Domain Name for private REST APIs, I want to try to call the created private API using custom domain name api.aws.internal.sample.com https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-api-gateway-custom-domain-name-private-rest-apis/?nc1=h_ls Note: this is for for testing purpose so we are using a self-signed certificate and imported it to ACM.

We did the set up for Custom Domain Names and Route 53 following the below instructions. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains-tutorial.html However, when trying to invoke the private custom domain name, the curl command returns 403 error. Using curl command with Host header returns the expected 200 status.

For reference, below are the curl results: ■curl without Host headers -> 403 curl -vk https://api.aws.internal.sample.com/test/hello

  • Host api.aws.internal.sample.com:443 was resolved.
  • IPv6: (none)
  • IPv4: 10.0.{}.{}
  • Trying 10.0.{}.{}:443...
  • Connected to api.aws.internal.sample.com (10.0.{}.{}) port 443
  • ALPN: curl offers h2,http/1.1 ////
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / secp256r1 / rsaEncryption
  • ALPN: server did not agree on a protocol. Uses default.
  • Server certificate: /////
  • SSL certificate verify result: self-signed certificate (18), continuing anyway.
  • Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • using HTTP/1.x

GET /test/hello HTTP/1.1 Host: api.aws.internal.sample.com User-Agent: curl/8.5.0 Accept: /

< HTTP/1.1 403 Forbidden < Server: Server ///// < Content-Type: application/json < Content-Length: 42 < Connection: keep-alive ///// < x-amzn-ErrorType: MissingAuthenticationTokenException /////

  • Connection #0 to host api.aws.internal.sample.com left intact {"message":"Missing Authentication Token"}

■curl with Host header -> 200 curl -vk https://api.aws.internal.sample.com/test/hello -H "Host: {api-id}.execute-api.{region-id}.amazonaws.com" ////// < HTTP/1.1 200 OK < Server: Server < Date: //// < Content-Type: application/json < Content-Length: 27 < Connection: keep-alive ////

  • Connection #0 to host api.aws.internal.sample.com left intact Reached Lambda

■Additional information

  1. API Gateway Resource Policy: Allow execute-api:Invoke for connection through API Gateway's VPC Endpoint

    "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:{region-id}:{account-id}:{api-id}/*/GET/hello", "Condition": { "StringEquals": { "aws:SourceVpce": "{AWS VPC Endpoint}"

  2. Resource Policy of Custom Domain names (API Gateway): Allow execute-api:Invoke for only connection from API Gateway's VPC Endpoint

    "Effect": "Deny", "Principal": "", "Action": "execute-api:Invoke", "Resource": "execute-api:/", "Condition": { "StringNotEquals": { "aws:SourceVpce": "{VPC Endpoint ID}"

Topics
ServerlessFront-End Web & MobileComputeNetworking & Content Delivery
Tags
Amazon API GatewayAmazon Route 53AWS Lambda
Language
English
asked a year ago343 views
1 Answer
1

To address your questions regarding invoking a private custom domain name for private APIs:

  1. It is not the default behavior of a private API to always require a host header with the ID of the API when invoking a private custom domain name. The requirement for a host header depends on how you've set up your private API and custom domain.

  2. There are ways to invoke a private custom domain name for private APIs without specifying the Host header explicitly. Here are some approaches you can consider:

a) Use DNS resolution: If you've set up your private DNS correctly, you should be able to invoke the API using the custom domain name without specifying the Host header. Ensure that your Route 53 private hosted zone is properly configured to resolve the custom domain name to the VPC endpoint.

b) VPC endpoint policy: Make sure your VPC endpoint policy allows access to your private custom domain name. You may need to adjust the policy to ensure it's not blocking requests without the specific Host header.

c) Resource policies: Review both the private API resource policy and the private custom domain name resource policy. Ensure they are configured to allow access from your VPC endpoint without requiring additional headers.

d) Domain name access association: Verify that you've created a domain name access association between your VPC endpoint and the private custom domain name. This association allows you to invoke the private custom domain name while isolated from the public internet.

e) Check TLS settings: Ensure that your TLS settings are correct. Private custom domain names use the security policy of TLS-1.2 by default.

If you're still experiencing issues after checking these points, you may want to review your API Gateway configuration, VPC settings, and DNS setup to ensure everything is correctly configured for your private custom domain name.

The 403 Forbidden error you're receiving without the Host header suggests there might be an issue with your authentication or authorization setup. Double-check your resource policies, VPC endpoint policies, and API Gateway configuration to ensure they're correctly set up to allow access via the custom domain name without requiring the explicit Host header.

Remember that when using private custom domain names, you need to create separate resource policies for your private API and for your private custom domain name. To successfully invoke a private custom domain name, an API consumer needs access granted by the private custom domain name resource policy, the private API resource policy, and any applicable VPC endpoint policies or authorization on the private API.
Sources
Custom domain names for private APIs in API Gateway - Amazon API Gateway
Rest API - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
Invoke a private API - Amazon API Gateway

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content