Why can't I connect to my public API from an API Gateway VPC endpoint?

Last updated: 2019-01-28

I created an interface endpoint in my Amazon Virtual Private Cloud (Amazon VPC) to connect to my Amazon API Gateway APIs. Why can't I access my public API from the VPC?

Short Description

When you select the Enable Private DNS Name option while creating an interface VPC endpoint for API Gateway, you can access your private APIs using a private or public DNS, but you can't access your public APIs. For more information, see Create an Interface VPC Endpoint for API Gateway execute-api.

Note: You can use a private DNS for your VPC endpoint and still call your public API from the VPC if you're using an edge-optimized custom domain name for the API.

Create a new interface VPC endpoint for API Gateway without enabling private DNS. You can connect to your public APIs from the VPC again by using their public DNS names. To connect to your private APIs, however, you must use endpoint-specific public DNS hostnames.

Resolution

Create a new interface VPC endpoint

1.    Log in to the Amazon VPC console.

2.    (Optional) If you already created an interface VPC endpoint for your API Gateway APIs with Enable Private DNS Name selected, delete that endpoint.

3.    Create a new interface VPC endpoint. During setup, don't select Enable Private DNS Name.

4.    In the navigation pane of the Amazon VPC console, choose Endpoints, and then find the endpoint you just created.

5.    Copy the Endpoint ID, and then paste it somewhere for reference. It looks like this:

vpce-012345a67bc89d012

6.    Under Details, copy any of the DNS Names listed, and then paste it somewhere for reference. These names look like this:

vpce-012345a67bc89d012-abc1de2cd.execute-api.us-east-1.vpce.amazonaws.com

Attach a resource policy to your private API

1.    Log in to the API Gateway console.

2.    Attach a resource policy to your private API to allow access to the API from your new VPC endpoint. For more information, see Example: Allow private API traffic based on source VPC or VPC endpoint.

3.    Redeploy your private API so that the resource policy changes take effect.

4.    In the console, choose the name of your private API.

5.    Copy the API's ID to your clipboard, and then paste it somewhere for reference. Find the ID at the top of the console screen, where it appears in parentheses after the API name, like this:

PetStore (abcde1f23g)

Note: You can also find the API ID in the URL of the link you chose in the previous step.

Test the connection to your private API

Use the curl command line tool to test your private API. In your curl command, include the base URL used to invoke the API, as well as a Host header or x-apigw-api-id header. For more information, see Invoking Your Private API Using Endpoint-Specific Public DNS Hostnames.

The base URL to invoke the API includes the DNS name and stage name. It looks like this:

https://vpceId.execute-api.awsRegion.vpce.amazonaws.com/stageName

Note: Replace vpceId with the VPC endpoint ID you copied. Replace awsRegion with your private API's AWS Region (for example, us-east-1). Replace stageName with the name of the stage to which your API is deployed.

The Host header looks like this:

Host:apiId.execute-api.awsRegion.amazonaws.com

Note: Replace apiId with the API ID you copied. Replace awsRegion with your private API's AWS Region (for example, us-east-1).

The x-apigw-api-id header looks like this:

x-apigw-api-id:apiId

Note: Replace apiId with the API ID you copied.

If you set up everything correctly, you get a 200 response code.


Did this article help you?

Anything we could improve?


Need more help?