从 VPC 中的 ApiGateway 调用 public ApiGateway
Calling public ApiGateway from ApiGateway in VPC
我有两个 api 网关 - 一个 public (A),另一个在 VPC 中 (B) VPCEndpoint
配置为调用 api 个网关。
VPCEndpoint
配置:
IotCoreApiGatewayVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- "execute-api:Invoke"
Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
VpcEndpointType: Interface
VpcId: !Ref VpcId
PrivateDnsEnabled: true
SecurityGroupIds:
- !GetAtt DbSecurityGroup.GroupId
SubnetIds:
- !Ref PrivateSubnetAId
- !Ref PrivateSubnetBId
api 网关 B 正在调用 api 网关 A,我收到 403-禁止错误。
如果我删除 VPCEndpoint
配置,我将收到超时而不是 403。
在没有 VPC 的情况下从 lambda 调用 api 网关 A 工作正常,CORS 也已启用。
这里表达了类似的问题:
https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/
文章指出我必须为 ApiGateway 设置 Edge-Optimized Custom Domain Name
,这需要使用 ACM Certificates
。
有没有更简单的方法来解决这个问题?
我可以只附加一个安全组 ID 和 api 网关 A 访问 VPCEndpoint
?
服务器响应:
{
"Version": {
"Major": 1,
"Minor": 1,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json"
]
},
{
"Key": "Content-Length",
"Value": [
"23"
]
}
]
},
"StatusCode": 403,
"ReasonPhrase": "Forbidden",
"Headers": [
{
"Key": "Server",
"Value": [
"Server"
]
},
{
"Key": "Date",
"Value": [
"Mon, 16 Dec 2019 11:25:43 GMT"
]
},
{
"Key": "Connection",
"Value": [
"keep-alive"
]
},
{
"Key": "x-amzn-RequestId",
"Value": [
"09df4fdd-d26d-4266-b569-35d537488913"
]
},
{
"Key": "x-amzn-ErrorType",
"Value": [
"ForbiddenException"
]
},
{
"Key": "x-amz-apigw-id",
"Value": [
"Ey10qAA7DoEF-Ng="
]
}
],
"RequestMessage": {
"Version": {
"Major": 2,
"Minor": 0,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json; charset=utf-8"
]
},
{
"Key": "Content-Length",
"Value": [
"104"
]
}
]
},
"Method": {
"Method": "POST"
},
"RequestUri": "https://{apigatewayUrl}api/Commands",
"Headers": [],
"Properties": {}
},
"IsSuccessStatusCode": false
}
更新:按照article中的建议添加边缘优化的自定义域名,没有解决问题
发生了对 public api 网关(以及 public Internet)的访问被阻止,直到我将 Nat 网关添加到我的 VPC。此处描述了解决方案 - https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12
我有两个 api 网关 - 一个 public (A),另一个在 VPC 中 (B) VPCEndpoint
配置为调用 api 个网关。
VPCEndpoint
配置:
IotCoreApiGatewayVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- "execute-api:Invoke"
Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
VpcEndpointType: Interface
VpcId: !Ref VpcId
PrivateDnsEnabled: true
SecurityGroupIds:
- !GetAtt DbSecurityGroup.GroupId
SubnetIds:
- !Ref PrivateSubnetAId
- !Ref PrivateSubnetBId
api 网关 B 正在调用 api 网关 A,我收到 403-禁止错误。
如果我删除 VPCEndpoint
配置,我将收到超时而不是 403。
在没有 VPC 的情况下从 lambda 调用 api 网关 A 工作正常,CORS 也已启用。
这里表达了类似的问题:
https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/
文章指出我必须为 ApiGateway 设置 Edge-Optimized Custom Domain Name
,这需要使用 ACM Certificates
。
有没有更简单的方法来解决这个问题?
我可以只附加一个安全组 ID 和 api 网关 A 访问 VPCEndpoint
?
服务器响应:
{
"Version": {
"Major": 1,
"Minor": 1,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json"
]
},
{
"Key": "Content-Length",
"Value": [
"23"
]
}
]
},
"StatusCode": 403,
"ReasonPhrase": "Forbidden",
"Headers": [
{
"Key": "Server",
"Value": [
"Server"
]
},
{
"Key": "Date",
"Value": [
"Mon, 16 Dec 2019 11:25:43 GMT"
]
},
{
"Key": "Connection",
"Value": [
"keep-alive"
]
},
{
"Key": "x-amzn-RequestId",
"Value": [
"09df4fdd-d26d-4266-b569-35d537488913"
]
},
{
"Key": "x-amzn-ErrorType",
"Value": [
"ForbiddenException"
]
},
{
"Key": "x-amz-apigw-id",
"Value": [
"Ey10qAA7DoEF-Ng="
]
}
],
"RequestMessage": {
"Version": {
"Major": 2,
"Minor": 0,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json; charset=utf-8"
]
},
{
"Key": "Content-Length",
"Value": [
"104"
]
}
]
},
"Method": {
"Method": "POST"
},
"RequestUri": "https://{apigatewayUrl}api/Commands",
"Headers": [],
"Properties": {}
},
"IsSuccessStatusCode": false
}
更新:按照article中的建议添加边缘优化的自定义域名,没有解决问题
发生了对 public api 网关(以及 public Internet)的访问被阻止,直到我将 Nat 网关添加到我的 VPC。此处描述了解决方案 - https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12