- Newest
- Most votes
- Most comments
I have banged my head on this issue specifically. It is possible as I've recently done it.
I have a Lambda in Account A within VPC-A that makes calls to a private REST endpoint through a VPCE in Account B. That private REST endpoint has a resource policy allowing traffic from that VPCE only. If you're getting timeouts, it is likely your security group configuration. You mentioned
- I have verified the security group on the Gateway in VPC-B allows incoming traffic on port 443
which may be the issue. You referenced the gateway but you'll want to make sure your VPCE allows that traffic. Ensure that the security group associated with the VPCE allows inbound traffic from the subnet of the security group of the Lambda in VPC-A. My team uses a rule of thumb that if it's timeouts, it's likely SGs. Good luck!
I have doubled checked and according to the documentation it is possible.
Using resource policies, you can allow or deny access to your API from selected VPCs and VPC endpoints, including across AWS accounts. Each endpoint can be used to access multiple private APIs. You can also use AWS Direct Connect to establish a connection from an on-premises network to Amazon VPC and access your private API over that connection.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
Have you configured the resource policy to allow access from VPC a?
Thanks for confirming I'm at least on the right track. The Resource Policy on the ApiGateway in VPC B allows traffic coming from the VPC Endpoint defined in VPC-B. I wasn't getting any 403 response code saying the traffic was being blocked the request was just not resolving and timing out.
Hello @fluted_whale423,
I am afraid what you are trying to achieve is not possible. As per the documentation, Private APIs are accessible only from within your VPCs,. You can access it using a VPC Endpoint, but that will only be accessible within the same VPC.
Generally speaking you cannot use the VPC connection techniques to send traffic across VPCs. Sometime back I had set up a VPC Peering and tried to use a NAT Gateway across that peering and it didn't work. It is well documented. I think you will have to access the API via Route53. I have not tried it, but I think it should be possible.
Relevant content
- asked a year ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 months ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi thanks for the response
My VPCE had the same SG as the Gateway which allowed inbound 443 traffic without subnet restrictions. I updated my original post with how I ended up getting it working but it's not using the private-link solution