Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC?
Last updated: 2019-09-27
I'm calling my Amazon API Gateway APIs from my Amazon Virtual Private Cloud (Amazon VPC), but I get an HTTP 403 Forbidden error. Why is that?
If you get this error when connecting to your API Gateway public APIs from an Amazon VPC, check to see if there's an interface VPC endpoint for API Gateway associated with that VPC, with private DNS enabled. When private DNS is enabled for an interface VPC endpoint associated with a VPC, all requests from the VPC to API Gateway APIs resolve to that VPC endpoint, and you can't connect to public APIs via a VPC endpoint.
Check your Amazon VPC to confirm if you (or another AWS Identity and Access Management (IAM) identity with shared access to your AWS resources) created an interface VPC endpoint to access a private API Gateway API. If there's an interface endpoint, see if the private DNS setting (Enable Private DNS Name) is selected.
Connect to public APIs with private DNS enabled
If private DNS is enabled, use edge-optimized custom domain names to connect to your public APIs.
Connect to public APIs with private DNS disabled
If private DNS is disabled for an interface VPC endpoint for API Gateway, or if you don't have an interface endpoint in the Amazon VPC, confirm that any:
- Security groups for your VPC allow outbound traffic to your public API.
- Resource policy attached to your API doesn't deny access from the VPC.
When your Amazon VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and Managing Access to a REST API in API Gateway.
Disable or enable private DNS for an interface VPC endpoint
If you decide to stop (or start) using private DNS for an interface VPC endpoint, you can change the setting at any time.
- Open the Endpoints pane of the Amazon VPC console.
- Select your interface VPC endpoint.
- Choose Actions, and then choose Modify Private DNS names.
- For Enable Private DNS Name, select or deselect the check box (Enable for this endpoint).
- Choose Modify Private DNS names.