Call Private API Gateway without Host header
Hi,
When building private api gateways fronted by a vpc endpoint, the consumer needs to provide a host header with the id of the api.
A workaround to fix that is to provide an ALB with Route53 record, which then fronts the vpc endpoint. In this way the consumer does not need to provide an host header.
Are there any other workaround so that a consumer does not need to provide host header in order to cal a vpc endpoint fronted private api gateway? Thanks
- Newest
- Most votes
- Most comments
Using an Application Load Balancer (ALB) and Route53 is a common workaround to avoid sending a custom Host header when calling a private API Gateway with a VPC endpoint. However, another workaround you can consider is setting up an AWS Lambda function as a proxy between the client and the API Gateway.
- Create a Lambda function that receives the request from the client and forwards it to the private API Gateway.
- Configure the Lambda function to add the required Host header with the API ID before sending the request to the API Gateway.
- Expose the Lambda function using an API Gateway of its own, making it publicly accessible (if required). The public API Gateway can be a Regional or Edge-Optimized API.
- Clients can now call the public-facing API Gateway, which triggers the Lambda function, which in turn adds the required Host header and forwards the request to the private API Gateway.
This way, the clients do not need to provide the Host header, and the Lambda function handles it for them. Keep in mind that this approach adds an extra layer of complexity and may introduce some latency, as the Lambda function acts as a middleman in the process.
Not really an answer but more background information for those reading this later...
No, there isn't an easy workaround here. VPC endpoints for AWS services are "gateways" to the entire service. With API Gateway there needs to be a way to select which API endpoint the caller wants to connect to (out of all the endpoints that are defined within the same region). The Host header is the way to do that - without it, the service doesn't know which "instance" of API Gateway the caller wants to use.
DNS isn't appropriate here as it is something that happens on the caller side before the TCP session is established. Client certificates can't be used (even in cases where they are supported) because they happen later in the protocol negotiation phase - they are bound to the API Gateway instance and in any case it's not practical to compare the certificate across all API Gateways for all customers. There is also be the possibility of a certificate being used by a single client to call multiple APIs so that's a blocker too.
That said: An interesting feature might be to create an API Gateway endpoint that only connects to a single API Gateway (rather than to the whole service). If that sounds interesting, you might discuss that with your local AWS Solutions Architect.
Thanks Brettski, yeah a workaround is to have a proxy before the api (another apigw as you suggest, or an ALB), and though not happy, is good to know that there are no alternative and get to know the reason behind. Thanks!
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
Thanks ;), though applicable, I don’t like this option.