使用AWS Direct Connect从本地连接到私有API网关

时间:2019-08-19 16:17:54

标签: aws-api-gateway amazon-vpc

我正在尝试从本地服务器调用私有API网关端点。我在本地网络和AWS VPC之间进行了Direct Connect设置。

AWS文档here说:

  

您也可以使用   AWS Direct Connect可通过以下方式建立专用的专用连接   到Amazon VPC的本地网络并访问您的私有API终端节点   通过使用公共DNS名称在该连接上进行访问。

     

您不能使用私有DNS名称来从   本地网络。

这是我所做的:

  1. 为API网关创建了接口端点
  2. 创建了API网关
  3. 将API设置为“私有” API
  4. 将以下资源策略添加到API网关
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:<REGION>:<ACCOUNT_ID>:<API_GW_ID>/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-<VPCE_ID>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:<REGION>:<ACCOUNT_ID>:<API_GW_ID>/*/*/*"
        }
    ]
}

我试图按以下方式调用API:

enter image description here

似乎存在与VPC端点建立连接的问题。任何帮助将不胜感激!

尝试卷曲网址后更新:

看来我现在找到了VPC端点,但得到了403。我试图将资源策略从API网关中删除,以查看是否是由错误的策略引起的,但不是。我尝试使用--insecure标志,但也没有运气。


c:\curl\curl-7.65.3-win64-mingw\bin>curl --insecure -v https://<vpc-endpoint-id>.execute-api.<region>.vpce.amazonaws.com/<path> -H 'x-apigw-api-id:<api-gw-id>' -k
*   Trying 10.42.189.101:443...
* TCP_NODELAY set
* Connected to <vpc-endpoint-id>.execute-api.<region>.vpce.amazonaws.com (10.42.189.101) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.execute-api.<region>.amazonaws.com
*  start date: Oct  9 00:00:00 2018 GMT
*  expire date: Oct  9 12:00:00 2019 GMT
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET <path> HTTP/1.1
> Host: <vpc-endpoint-id>.execute-api.<region>.vpce.amazonaws.com
> User-Agent: curl/7.65.3
> Accept: */*
> 'x-apigw-api-id:<api-gw-id>'
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Tue, 20 Aug 2019 19:49:24 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: 9c95b630-c383-11e9-b657-fbfc525bb250
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: evE-uHZWiYcF7Xw=
<
{"message":"Forbidden"}* Connection #0 to host <vpc-endpoint-id>.execute-api.<region>.vpce.amazonaws.com left intact

注意:

  1. 我的VPC终结点的私有DNS名称已禁用
  2. 我正在调用公用DNS名称来访问我的API(vpce-blah-blah.execute-api.region.vpce.amazonaws.com)

我使用过的其他来源:

调用API GW VPC端点的教程:https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ 编写资源策略的教程:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html

0 个答案:

没有答案
相关问题
最新问题