Amazon web services 从VPC中的ApiGateway调用公共ApiGateway_Amazon Web Services_Aws Api Gateway_Amazon Vpc_Api Gateway

Amazon web services 从VPC中的ApiGateway调用公共ApiGateway

amazon-web-services

Amazon web services 从VPC中的ApiGateway调用公共ApiGateway,amazon-web-services,aws-api-gateway,amazon-vpc,api-gateway,Amazon Web Services,Aws Api Gateway,Amazon Vpc,Api Gateway,我有两个api网关—一个公共（A），另一个在VPC（B）中，配置了VPCEndpoint以调用api网关 VPCEndpoint配置： IotCoreApiGatewayVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow

我有两个api网关—一个公共（A），另一个在VPC（B）中，配置了

VPCEndpoint

以调用api网关

VPCEndpoint

配置：

  IotCoreApiGatewayVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "execute-api:Invoke"
            Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
      ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
      VpcEndpointType: Interface
      VpcId: !Ref VpcId
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !GetAtt DbSecurityGroup.GroupId
      SubnetIds:
        - !Ref PrivateSubnetAId
        - !Ref PrivateSubnetBId

api网关B正在调用api网关A，我收到403个禁止的错误

如果我删除

VPCEndpoint

配置，而不是403，我会收到超时

在没有VPC的情况下从lambda调用api网关A工作正常，CORS也已启用

这里也表达了类似的问题：

文章指出，我必须为ApiGateway设置一个

边缘优化的自定义域名

，这需要使用

ACM证书

有没有更简单的方法来解决这个问题？我是否可以通过api网关A访问

VPCEndpoint

附加安全组的id

服务器响应：

{
  "Version": {
    "Major": 1,
    "Minor": 1,
    "Build": -1,
    "Revision": -1,
    "MajorRevision": -1,
    "MinorRevision": -1
  },
  "Content": {
    "Headers": [
      {
        "Key": "Content-Type",
        "Value": [
          "application/json"
        ]
      },
      {
        "Key": "Content-Length",
        "Value": [
          "23"
        ]
      }
    ]
  },
  "StatusCode": 403,
  "ReasonPhrase": "Forbidden",
  "Headers": [
    {
      "Key": "Server",
      "Value": [
        "Server"
      ]
    },
    {
      "Key": "Date",
      "Value": [
        "Mon, 16 Dec 2019 11:25:43 GMT"
      ]
    },
    {
      "Key": "Connection",
      "Value": [
        "keep-alive"
      ]
    },
    {
      "Key": "x-amzn-RequestId",
      "Value": [
        "09df4fdd-d26d-4266-b569-35d537488913"
      ]
    },
    {
      "Key": "x-amzn-ErrorType",
      "Value": [
        "ForbiddenException"
      ]
    },
    {
      "Key": "x-amz-apigw-id",
      "Value": [
        "Ey10qAA7DoEF-Ng="
      ]
    }
  ],
  "RequestMessage": {
    "Version": {
      "Major": 2,
      "Minor": 0,
      "Build": -1,
      "Revision": -1,
      "MajorRevision": -1,
      "MinorRevision": -1
    },
    "Content": {
      "Headers": [
        {
          "Key": "Content-Type",
          "Value": [
            "application/json; charset=utf-8"
          ]
        },
        {
          "Key": "Content-Length",
          "Value": [
            "104"
          ]
        }
      ]
    },
    "Method": {
      "Method": "POST"
    },
    "RequestUri": "https://{apigatewayUrl}api/Commands",
    "Headers": [],
    "Properties": {}
  },
  "IsSuccessStatusCode": false
}

Upd：按照中的建议添加边缘优化自定义域名并不能解决问题

在我向VPC添加Nat网关之前，公共api网关（以及公共互联网）的访问被阻止。这里描述了解决方案-

B是否具有适当的IAM角色来调用A？您如何调用私有API B？您能否共享curl命令的输出？您是否能够从VPC内部调用公共API A（即从EC2实例）@franziga-不在VPC中的lambda可以通过Http调用API A，而无需任何其他权限。它只是向web api地址发送一个http请求。我已经添加了api B的

apigateway:

和

lambda:

权限，但@Suraj Bhatia-在VPC阻止传出http中使用服务器响应ES安全组更新了问题？@franziga允许所有传出http流量