How do I access a private API Gateway API when the VPC endpoint uses an on-premises DNS?
Last updated: 2021-04-19
I'm using a virtual private cloud (VPC) that has a custom, on-premises Domain Name System (DNS) server. After creating a VPC endpoint for a private Amazon API Gateway API, I received a name-resolution error when I tried to invoke the API. How do I fix this issue?
To troubleshoot name-resolution errors from API Gateway when the VPC endpoint uses an on-premises DNS, do the following:
1. Create an Amazon Route 53 Resolver in the VPC. For more information, see Getting started with Route 53 Resolver.
Note: Creating a Route 53 Resolver in the VPC allows the Route 53 Resolver to resolve the VPC endpoint's hostname within the VPC.
2. Add a DNS forwarder to the on-premises DNS server. When you configure the DNS forwarder, do the following:
Configure the DNS forwarder so that it forwards DNS queries to the Route 53 Resolver you created in step 1.
Add a rule to the DNS forwarder that allows it to forward only DNS queries that end with amazonaws.com. (The domain name of the VPC endpoint.)
For more information, see Considerations when creating inbound and outbound endpoints.
Note: You must have the DNS forwarder's destination IP addresses to configure the DNS forwarder.
To get the DNS forwarder's destination IP addresses
1. Open the Route 53 console.
2. In the left navigation panel, in the Resolver section, choose Inbound endpoints.
3. Open the Details page of the inbound endpoint for the VPC.
4. Note the IP addresses listed in the IP addresses section of the resolver. These are the DNS forwarder's destination IP addresses.
Note: The steps to create a DNS forwarder for an on-premises DNS server are different for each DNS server. For more information, consult your on-premises DNS server manual.