Amazon web services 从VPC中的ApiGateway调用公共ApiGateway
我有两个api网关—一个公共(A),另一个在VPC(B)中,配置了Amazon web services 从VPC中的ApiGateway调用公共ApiGateway,amazon-web-services,aws-api-gateway,amazon-vpc,api-gateway,Amazon Web Services,Aws Api Gateway,Amazon Vpc,Api Gateway,我有两个api网关—一个公共(A),另一个在VPC(B)中,配置了VPCEndpoint以调用api网关 VPCEndpoint配置: IotCoreApiGatewayVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow
VPCEndpoint
以调用api网关
VPCEndpoint
配置:
IotCoreApiGatewayVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- "execute-api:Invoke"
Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
VpcEndpointType: Interface
VpcId: !Ref VpcId
PrivateDnsEnabled: true
SecurityGroupIds:
- !GetAtt DbSecurityGroup.GroupId
SubnetIds:
- !Ref PrivateSubnetAId
- !Ref PrivateSubnetBId
api网关B正在调用api网关A,我收到403个禁止的错误
如果我删除VPCEndpoint
配置,而不是403,我会收到超时
在没有VPC的情况下从lambda调用api网关A工作正常,CORS也已启用
这里也表达了类似的问题:
文章指出,我必须为ApiGateway设置一个边缘优化的自定义域名
,这需要使用ACM证书
有没有更简单的方法来解决这个问题?
我是否可以通过api网关A访问VPCEndpoint
附加安全组的id
服务器响应:
{
"Version": {
"Major": 1,
"Minor": 1,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json"
]
},
{
"Key": "Content-Length",
"Value": [
"23"
]
}
]
},
"StatusCode": 403,
"ReasonPhrase": "Forbidden",
"Headers": [
{
"Key": "Server",
"Value": [
"Server"
]
},
{
"Key": "Date",
"Value": [
"Mon, 16 Dec 2019 11:25:43 GMT"
]
},
{
"Key": "Connection",
"Value": [
"keep-alive"
]
},
{
"Key": "x-amzn-RequestId",
"Value": [
"09df4fdd-d26d-4266-b569-35d537488913"
]
},
{
"Key": "x-amzn-ErrorType",
"Value": [
"ForbiddenException"
]
},
{
"Key": "x-amz-apigw-id",
"Value": [
"Ey10qAA7DoEF-Ng="
]
}
],
"RequestMessage": {
"Version": {
"Major": 2,
"Minor": 0,
"Build": -1,
"Revision": -1,
"MajorRevision": -1,
"MinorRevision": -1
},
"Content": {
"Headers": [
{
"Key": "Content-Type",
"Value": [
"application/json; charset=utf-8"
]
},
{
"Key": "Content-Length",
"Value": [
"104"
]
}
]
},
"Method": {
"Method": "POST"
},
"RequestUri": "https://{apigatewayUrl}api/Commands",
"Headers": [],
"Properties": {}
},
"IsSuccessStatusCode": false
}
Upd:按照中的建议添加边缘优化自定义域名并不能解决问题在我向VPC添加Nat网关之前,公共api网关(以及公共互联网)的访问被阻止。这里描述了解决方案-B是否具有适当的IAM角色来调用A?您如何调用私有API B?您能否共享curl命令的输出?您是否能够从VPC内部调用公共API A(即从EC2实例)@franziga-不在VPC中的lambda可以通过Http调用API A,而无需任何其他权限。它只是向web api地址发送一个http请求。我已经添加了api B的
apigateway:
和lambda:
权限,但@Suraj Bhatia-在VPC阻止传出http中使用服务器响应ES安全组更新了问题?@franziga允许所有传出http流量