- Newest
- Most votes
- Most comments
Hi WearsTheFoxHat,
If you enable "Enable Private DNS Name" when you add an API GW VPC endpoint to your vpc, all REGIONAL and PRIVATE APIs will get routed to the VPC endpoint.
As is stated in [1], "However, you cannot access public APIs from a VPC by using an API Gateway VPC endpoint with private DNS enabled. " (emphasis mine)
You can solve this in two ways:
- leave private DNS Name enabled and make sure all your public APIs are accessed from custom domain names that are Edge optimized
- disable private DNS name, but that will require that you call your private APIs thru the endpoint setting the Host header explicitly [2] or using a Route 53 alias [3]
Hope this helps!
Best, Alf
[1] Creating a private API in Amazon API Gateway - Create an interface VPC endpoint for API Gateway <code class="code">execute-api</code> - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-create-interface-vpc-endpoint
[2] How to invoke a private API - Invoking your private API using endpoint-specific public DNS hostnames - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#apigateway-private-api-public-dns
[3] How to invoke a private API - Accessing your private API using a Route53 alias - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#apigateway-private-api-route53-alias
ah, I hadn't read the API gateways docs in 1 (someone else manages that bit) so hadn't come across this restriction in the Endpoint docs. I probably can't ask clients to use edge optimised Gateways, so will need to Heath-Robinson something else I think and get it past the Security team...
Many thanks for your time.
To reach a public webhook you need to grant your VPC lambda access to internet. This is a bit more involved than security group setting. This article might help:
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
Could you please Check the DNS setting on a VPC endpoint: If the API is invoked from an Amazon VPC that has an interface VPC endpoint, verify that the DNS setting of the interface endpoint is set correctly based on the API type.
Keep in mind the following:
To invoke a Regional API from inside an Amazon VPC, private DNS must be disabled on the interface endpoint. Then, the endpoint's hostname can be resolved by a public DNS. For more information, see Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC? To invoke a private API from inside an Amazon VPC using the API's private DNS name, private DNS must be activated on the interface endpoint. Then, the interface endpoint's hostname can be resolved to the Amazon VPC's local subnet resources. For more information, see How to invoke a private API.
Note: You don't need to set up private DNS if you're invoking the private API using its public DNS name or an Amazon Route 53 alias.
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/
Relevant content
- asked a year ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 7 months ago
Could you please Check the DNS setting on a VPC endpoint: If the API is invoked from an Amazon VPC that has an interface VPC endpoint, verify that the DNS setting of the interface endpoint is set correctly based on the API type.
Keep in mind the following:
To invoke a Regional API from inside an Amazon VPC, private DNS must be disabled on the interface endpoint. Then, the endpoint's hostname can be resolved by a public DNS. For more information, see Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC? To invoke a private API from inside an Amazon VPC using the API's private DNS name, private DNS must be activated on the interface endpoint. Then, the interface endpoint's hostname can be resolved to the Amazon VPC's local subnet resources. For more information, see How to invoke a private API.
Note: You don't need to set up private DNS if you're invoking the private API using its public DNS name or an Amazon Route 53 alias.
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/