从 VPC 中的 ApiGateway 调用 public ApiGateway

Calling public ApiGateway from ApiGateway in VPC

我有两个 api 网关 - 一个 public (A),另一个在 VPC 中 (B) VPCEndpoint 配置为调用 api 个网关。

VPCEndpoint配置:

  IotCoreApiGatewayVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "execute-api:Invoke"
            Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
      ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
      VpcEndpointType: Interface
      VpcId: !Ref VpcId
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !GetAtt DbSecurityGroup.GroupId
      SubnetIds:
        - !Ref PrivateSubnetAId
        - !Ref PrivateSubnetBId

api 网关 B 正在调用 api 网关 A,我收到 403-禁止错误。

如果我删除 VPCEndpoint 配置,我将收到超时而不是 403。

在没有 VPC 的情况下从 lambda 调用 api 网关 A 工作正常,CORS 也已启用。

这里表达了类似的问题:

https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/

文章指出我必须为 ApiGateway 设置 Edge-Optimized Custom Domain Name,这需要使用 ACM Certificates

有没有更简单的方法来解决这个问题? 我可以只附加一个安全组 ID 和 api 网关 A 访问 VPCEndpoint?

服务器响应:

{
  "Version": {
    "Major": 1,
    "Minor": 1,
    "Build": -1,
    "Revision": -1,
    "MajorRevision": -1,
    "MinorRevision": -1
  },
  "Content": {
    "Headers": [
      {
        "Key": "Content-Type",
        "Value": [
          "application/json"
        ]
      },
      {
        "Key": "Content-Length",
        "Value": [
          "23"
        ]
      }
    ]
  },
  "StatusCode": 403,
  "ReasonPhrase": "Forbidden",
  "Headers": [
    {
      "Key": "Server",
      "Value": [
        "Server"
      ]
    },
    {
      "Key": "Date",
      "Value": [
        "Mon, 16 Dec 2019 11:25:43 GMT"
      ]
    },
    {
      "Key": "Connection",
      "Value": [
        "keep-alive"
      ]
    },
    {
      "Key": "x-amzn-RequestId",
      "Value": [
        "09df4fdd-d26d-4266-b569-35d537488913"
      ]
    },
    {
      "Key": "x-amzn-ErrorType",
      "Value": [
        "ForbiddenException"
      ]
    },
    {
      "Key": "x-amz-apigw-id",
      "Value": [
        "Ey10qAA7DoEF-Ng="
      ]
    }
  ],
  "RequestMessage": {
    "Version": {
      "Major": 2,
      "Minor": 0,
      "Build": -1,
      "Revision": -1,
      "MajorRevision": -1,
      "MinorRevision": -1
    },
    "Content": {
      "Headers": [
        {
          "Key": "Content-Type",
          "Value": [
            "application/json; charset=utf-8"
          ]
        },
        {
          "Key": "Content-Length",
          "Value": [
            "104"
          ]
        }
      ]
    },
    "Method": {
      "Method": "POST"
    },
    "RequestUri": "https://{apigatewayUrl}api/Commands",
    "Headers": [],
    "Properties": {}
  },
  "IsSuccessStatusCode": false
}

更新:按照article中的建议添加边缘优化的自定义域名,没有解决问题

发生了对 public api 网关(以及 public Internet)的访问被阻止,直到我将 Nat 网关添加到我的 VPC。此处描述了解决方案 - https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12