Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC?

Last updated: 2022-06-17

I'm calling my Amazon API Gateway APIs from my virtual private cloud (VPC), but I get an HTTP 403 Forbidden error. Why is that?

Short description

The HTTP 403 Forbidden error most commonly occurs when private DNS is enabled for an API Gateway interface VPC endpoint that's associated with a VPC. In this scenario, all requests from the VPC to API Gateway APIs resolve to that interface VPC endpoint. However, it's not possible to connect to public APIs using a VPC endpoint.

The private DNS name of a VPC endpoint is in the format *.execute-api.<REGION>.amazonaws.com. This format matches the API Gateway default invoke URL for public and private APIs. For example, the default invoke URL of a public API is https://abcd1234.execute-api.us-east-1.amazonaws.com where abcd1234 is the API ID and us-east-1 is the AWS Region of the API.

When a private DNS is enabled on a VPC endpoint, the API's invoke URL is covered by the private DNS name *.execute-api.us-east-1.amazonaws.com where * is a placeholder for the API ID. When a DNS query is resolved for a public API from inside a VPC, the resolved DNS points to the private IP of the associated VPC endpoint instead of the public IP of the public API. The API call is then routed to the public API through the VPC endpoint instead of routing it through the internet. Because VPC endpoints can route traffic only to private APIs, the result is an HTTP 403 error.

If private DNS isn't enabled for your interface VPC endpoint, or there is no endpoint in your VPC, go to the Connect to public APIs when private DNS isn't enabled section.

Resolution

Confirm that a private DNS is enabled for an interface VPC endpoint associated with your VPC

Check your VPC to see if there's an interface VPC endpoint to access a private API. If there's an interface endpoint, check to see if the private DNS settings are enabled. For more information, see DNS attributes in your VPC.

Connect to public APIs with private DNS enabled

If private DNS is enabled, set up edge-optimized custom domain names or regional custom domain names to connect to your public APIs.

Important: Resources in your VPC that try to connect to your public APIs must have internet connectivity. Also, when configuring DNS records for a regional custom domain name, you must use A type alias records. However, with edge-optimized custom domain names, use either A type alias records or CNAME records.

Connect to public APIs when private DNS isn't enabled

If private DNS isn't enabled in the interface VPC endpoint, or there is no endpoint in your Amazon Virtual Private Cloud (Amazon VPC) configuration, confirm that the following is true:

When your VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and managing access to a REST API in API Gateway.

(Optional) Change the private DNS setting for an interface VPC endpoint

Users can change the private DNS setting for an interface VPC endpoint at any time. Changing this setting affects the resolution of an API's stage URL to the private IP of the interface VPC endpoint.

Note: Changing the private DNS setting affects how users can connect to private APIs and public APIs from a VPC.

  1. In the Amazon VPC console, open the Endpoints pane.
  2. Select the interface VPC endpoint.
  3. Choose Actions, and then choose Modify Private DNS names.
  4. For Enable Private DNS Name, select or clear the Enable for this endpoint check box.
  5. Choose Modify Private DNS names.

For more information, see View and update DNS attributes for your VPC.