在VPC中从ApiGateway调用公共ApiGateway

时间:2019-12-13 17:25:41

标签: amazon-web-services aws-api-gateway amazon-vpc api-gateway

我有两个api网关-一个公共( A ),另一个在VPC( B )中,其中VPCEndpoint配置为可以调用api网关。

VPCEndpoint配置:

  IotCoreApiGatewayVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "execute-api:Invoke"
            Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
      ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
      VpcEndpointType: Interface
      VpcId: !Ref VpcId
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !GetAtt DbSecurityGroup.GroupId
      SubnetIds:
        - !Ref PrivateSubnetAId
        - !Ref PrivateSubnetBId

api网关 B 正在调用api网关 A ,并且我收到403-禁止错误。

如果我删除VPCEndpoint配置,而不是403,则会收到超时。

在没有VPC的情况下从lambda调用api网关 A 可以正常工作,同时也启用了CORS。

类似的问题在这里表达:

https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/

文章指出,我必须为ApiGateway设置Edge-Optimized Custom Domain Name,并且需要使用ACM Certificates

有没有更简单的方法来解决此问题? 我是否可以仅通过具有对VPCEndpoint的api网关 A 访问的安全组的ID?

服务器响应:

{
  "Version": {
    "Major": 1,
    "Minor": 1,
    "Build": -1,
    "Revision": -1,
    "MajorRevision": -1,
    "MinorRevision": -1
  },
  "Content": {
    "Headers": [
      {
        "Key": "Content-Type",
        "Value": [
          "application/json"
        ]
      },
      {
        "Key": "Content-Length",
        "Value": [
          "23"
        ]
      }
    ]
  },
  "StatusCode": 403,
  "ReasonPhrase": "Forbidden",
  "Headers": [
    {
      "Key": "Server",
      "Value": [
        "Server"
      ]
    },
    {
      "Key": "Date",
      "Value": [
        "Mon, 16 Dec 2019 11:25:43 GMT"
      ]
    },
    {
      "Key": "Connection",
      "Value": [
        "keep-alive"
      ]
    },
    {
      "Key": "x-amzn-RequestId",
      "Value": [
        "09df4fdd-d26d-4266-b569-35d537488913"
      ]
    },
    {
      "Key": "x-amzn-ErrorType",
      "Value": [
        "ForbiddenException"
      ]
    },
    {
      "Key": "x-amz-apigw-id",
      "Value": [
        "Ey10qAA7DoEF-Ng="
      ]
    }
  ],
  "RequestMessage": {
    "Version": {
      "Major": 2,
      "Minor": 0,
      "Build": -1,
      "Revision": -1,
      "MajorRevision": -1,
      "MinorRevision": -1
    },
    "Content": {
      "Headers": [
        {
          "Key": "Content-Type",
          "Value": [
            "application/json; charset=utf-8"
          ]
        },
        {
          "Key": "Content-Length",
          "Value": [
            "104"
          ]
        }
      ]
    },
    "Method": {
      "Method": "POST"
    },
    "RequestUri": "https://{apigatewayUrl}api/Commands",
    "Headers": [],
    "Properties": {}
  },
  "IsSuccessStatusCode": false
}

更新:按照article的建议添加边缘优化的自定义域名并不能解决问题

1 个答案:

答案 0 :(得分:0)

在我向VPC添加Nat网关之前,发生了对公共api网关(以及公共Internet)的访问被阻止的情况。解决方案在此处介绍-https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12

相关问题
最新问题