Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC?

If you get this error when connecting to your API Gateway public APIs from an Amazon VPC, check to see if there's an interface VPC endpoint for API Gateway associated with that VPC, with private DNS enabled. When private DNS is enabled for an interface VPC endpoint associated with a VPC, all requests from the VPC to API Gateway APIs resolve to that VPC endpoint, and you can't connect to public APIs using a VPC endpoint.

Check your Amazon VPC to confirm if you (or another AWS Identity and Access Management (IAM) identity with shared access to your AWS resources) created an interface VPC endpoint to access a private API Gateway API. If there's an interface endpoint, check to see if the private DNS setting is enabled. For more information, see DNS Support in Your VPC.

Connect to public APIs with private DNS enabled

If private DNS is enabled, use edge-optimized custom domain names or regional custom domain names to connect to your public APIs.

Note: When configuring DNS records for a regional custom domain name, you must use A type alias records. However, with edge-optimized custom domain names, you can use either A type alias records or CNAME records. For more information, see Set Up a Custom Domain Name for an API in API Gateway.

Connect to public APIs with private DNS disabled

If private DNS is disabled for an interface VPC endpoint for API Gateway, or if you don't have an interface endpoint in the Amazon VPC, confirm that any:

• Security groups for your VPC allow outbound traffic to your public API.
• Resource policy attached to your API doesn't deny access from the VPC.

When your Amazon VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and Managing Access to a REST API in API Gateway.

(Optional) Change the private DNS setting for an interface VPC endpoint

You can change the private DNS setting for an interface VPC endpoint at any time. Changing this setting disables or enables resolution of an API's stage URL to the private IP of the interface VPC endpoint.

Note: Changing this setting affects how you can connect to your private APIs and public APIs from your Amazon VPC.

1. Open the Endpoints pane of the Amazon VPC console.
2. Select your interface VPC endpoint.
3. Choose Actions, and then choose Modify Private DNS names.
4. For Enable Private DNS Name, select or clear the check box (Enable for this endpoint).
5. Choose Modify Private DNS names.

For more information, see Viewing and Updating DNS Support for Your VPC.