我有两个api网关-一个公共(A),另一个在VPC(B)中,其中VPCEndpoint
配置为对api网关进行调用。
VPCEndpoint
配置:
IotCoreApiGatewayVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- "execute-api:Invoke"
Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
VpcEndpointType: Interface
VpcId: !Ref VpcId
PrivateDnsEnabled: true
SecurityGroupIds:
- !GetAtt DbSecurityGroup.GroupId
SubnetIds:
- !Ref PrivateSubnetAId
- !Ref PrivateSubnetBId
api网关B正在调用api网关A,并且我收到403-禁止错误。
如果删除VPCEndpoint
配置,而不是403,则会收到超时。
在没有VPC的情况下从lambda调用api网关A可以正常工作,也启用了CORS。
类似的问题在这里表达:
https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/
本文指出,我必须为ApiGateway设置一个Edge-Optimized Custom Domain Name
,并且需要使用ACM Certificates
。
有没有更简单的方法来解决此问题?我可以仅将具有安全网关ID的api网关A访问权限附加到VPCEndpoint
吗?
服务器响应:
{
"Version": {
"Major": 1,
"Minor": 1,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json"
]
},
{
"Key": "Content-Length",
"Value": [
"23"
]
}
]
},
"StatusCode": 403,
"ReasonPhrase": "Forbidden",
"Headers": [
{
"Key": "Server",
"Value": [
"Server"
]
},
{
"Key": "Date",
"Value": [
"Mon, 16 Dec 2019 11:25:43 GMT"
]
},
{
"Key": "Connection",
"Value": [
"keep-alive"
]
},
{
"Key": "x-amzn-RequestId",
"Value": [
"09df4fdd-d26d-4266-b569-35d537488913"
]
},
{
"Key": "x-amzn-ErrorType",
"Value": [
"ForbiddenException"
]
},
{
"Key": "x-amz-apigw-id",
"Value": [
"Ey10qAA7DoEF-Ng="
]
}
],
"RequestMessage": {
"Version": {
"Major": 2,
"Minor": 0,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json; charset=utf-8"
]
},
{
"Key": "Content-Length",
"Value": [
"104"
]
}
]
},
"Method": {
"Method": "POST"
},
"RequestUri": "https://{apigatewayUrl}api/Commands",
"Headers": [],
"Properties": {}
},
"IsSuccessStatusCode": false
}
更新:添加边缘优化的自定义域名,如article中所建议,未能解决问题
在我向VPC添加Nat网关之前,已经阻止了对公共api网关(以及公共Internet)的访问。解决方案在这里描述-https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12