Why do I get an HTTP 403 Forbidden error when connecting to my API Gateway APIs from a VPC?

Last updated: 2020-12-16

This HTTP 403 error most commonly occurs when private DNS is enabled for an API Gateway interface VPC endpoint that's associated with an Amazon VPC. When this happens, all requests from the VPC to API Gateway APIs resolve to that interface VPC endpoint. However, it's not possible to connect to public APIs using a VPC endpoint.

If private DNS is disabled for the interface VPC endpoint, or there is no endpoint in your Amazon VPC, then see the following private DNS disabled section.

Confirm if private DNS is enabled for an interface VPC endpoint associated with your Amazon VPC

Check your Amazon VPC to see if there's an interface VPC endpoint to access a private API Gateway API. If there's an interface endpoint, check to see if the private DNS setting is enabled. For more information, see DNS Support in Your VPC.

Connect to public APIs with private DNS enabled

If private DNS is enabled, use edge-optimized custom domain names or regional custom domain names to connect to your public APIs.

Important: Resources in your VPC that try to connect to your public APIs must have internet connectivity. Also, when configuring DNS records for a regional custom domain name, you must use A type alias records. However, with edge-optimized custom domain names, you can use either A type alias records or CNAME records. For more information, see Set Up a Custom Domain Name for an API in API Gateway.

Connect to public APIs with private DNS disabled

If private DNS is disabled for the interface VPC endpoint, or there is no endpoint in your Amazon VPC, confirm if the following is true:

• Security groups for your VPC allow outbound traffic to your public API.
• The resource policy attached to your API doesn't deny access from the VPC.

When your Amazon VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and Managing Access to a REST API in API Gateway.

(Optional) Change the private DNS setting for an interface VPC endpoint

You can change the private DNS setting for an interface VPC endpoint at any time. Changing this setting disables or enables resolution of an API's stage URL to the private IP of the interface VPC endpoint.

Note: Changing this setting affects how you can connect to your private APIs and public APIs from your Amazon VPC.

1. Open the Endpoints pane of the Amazon VPC console.
2. Select your interface VPC endpoint.
3. Choose Actions, and then choose Modify Private DNS names.
4. For Enable Private DNS Name, select or clear the check box (Enable for this endpoint).
5. Choose Modify Private DNS names.

For more information, see Viewing and Updating DNS Support for Your VPC.