Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC?

Last updated: 2019-09-27

I'm calling my Amazon API Gateway APIs from my Amazon Virtual Private Cloud (Amazon VPC), but I get an HTTP 403 Forbidden error. Why is that?

Short Description

If you get this error when connecting to your API Gateway public APIs from an Amazon VPC, check to see if there's an interface VPC endpoint for API Gateway associated with that VPC, with private DNS enabled. When private DNS is enabled for an interface VPC endpoint associated with a VPC, all requests from the VPC to API Gateway APIs resolve to that VPC endpoint, and you can't connect to public APIs via a VPC endpoint.

Resolution

Check your Amazon VPC to confirm if you (or another AWS Identity and Access Management (IAM) identity with shared access to your AWS resources) created an interface VPC endpoint to access a private API Gateway API. If there's an interface endpoint, see if the private DNS setting (Enable Private DNS Name) is selected.

Connect to public APIs with private DNS enabled

If private DNS is enabled, use edge-optimized custom domain names to connect to your public APIs.

Connect to public APIs with private DNS disabled

If private DNS is disabled for an interface VPC endpoint for API Gateway, or if you don't have an interface endpoint in the Amazon VPC, confirm that any:

When your Amazon VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and Managing Access to a REST API in API Gateway.

Disable or enable private DNS for an interface VPC endpoint

If you decide to stop (or start) using private DNS for an interface VPC endpoint, you can change the setting at any time.

Note: Changing this setting also changes how you connect to your private APIs and public APIs from your Amazon VPC.

  1. Open the Endpoints pane of the Amazon VPC console.
  2. Select your interface VPC endpoint.
  3. Choose Actions, and then choose Modify Private DNS names.
  4. For Enable Private DNS Name, select or deselect the check box (Enable for this endpoint).
  5. Choose Modify Private DNS names.

Did this article help you?

Anything we could improve?


Need more help?