时间戳

首页 > 解决方案 > 从 VPC 中的 ApiGateway 调用公共 ApiGateway

amazon-web-services - 从 VPC 中的 ApiGateway 调用公共 ApiGateway

问题描述

我有两个 api 网关 - 一个公共 ( A ),另一个在 VPC ( B ) 中VPCEndpoint配置为调用 api 网关。

VPCEndpoint配置:

  IotCoreApiGatewayVPCEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "execute-api:Invoke"
            Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*
      ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
      VpcEndpointType: Interface
      VpcId: !Ref VpcId
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !GetAtt DbSecurityGroup.GroupId
      SubnetIds:
        - !Ref PrivateSubnetAId
        - !Ref PrivateSubnetBId

api 网关B正在调用 api 网关A,我收到 403-Forbidden 错误。

如果我删除VPCEndpoint配置,而不是 403 我收到超时。

从没有 VPC 的 lambda调用 api 网关A工作正常,CORS 也已启用。

这里表达了类似的问题:

https://aws.amazon.com/ru/premiumsupport/knowledge-center/api-gateway-vpc-connections/

文章指出我必须Edge-Optimized Custom Domain Name为 ApiGateway 设置一个并且需要使用ACM Certificates.

有没有更简单的方法来解决这个问题?我可以通过 api 网关A访问安全组的 idVPCEndpoint吗?

服务器响应:

{
  "Version": {
    "Major": 1,
    "Minor": 1,
    "Build": -1,
    "Revision": -1,
    "MajorRevision": -1,
    "MinorRevision": -1
  },
  "Content": {
    "Headers": [
      {
        "Key": "Content-Type",
        "Value": [
          "application/json"
        ]
      },
      {
        "Key": "Content-Length",
        "Value": [
          "23"
        ]
      }
    ]
  },
  "StatusCode": 403,
  "ReasonPhrase": "Forbidden",
  "Headers": [
    {
      "Key": "Server",
      "Value": [
        "Server"
      ]
    },
    {
      "Key": "Date",
      "Value": [
        "Mon, 16 Dec 2019 11:25:43 GMT"
      ]
    },
    {
      "Key": "Connection",
      "Value": [
        "keep-alive"
      ]
    },
    {
      "Key": "x-amzn-RequestId",
      "Value": [
        "09df4fdd-d26d-4266-b569-35d537488913"
      ]
    },
    {
      "Key": "x-amzn-ErrorType",
      "Value": [
        "ForbiddenException"
      ]
    },
    {
      "Key": "x-amz-apigw-id",
      "Value": [
        "Ey10qAA7DoEF-Ng="
      ]
    }
  ],
  "RequestMessage": {
    "Version": {
      "Major": 2,
      "Minor": 0,
      "Build": -1,
      "Revision": -1,
      "MajorRevision": -1,
      "MinorRevision": -1
    },
    "Content": {
      "Headers": [
        {
          "Key": "Content-Type",
          "Value": [
            "application/json; charset=utf-8"
          ]
        },
        {
          "Key": "Content-Length",
          "Value": [
            "104"
          ]
        }
      ]
    },
    "Method": {
      "Method": "POST"
    },
    "RequestUri": "https://{apigatewayUrl}api/Commands",
    "Headers": [],
    "Properties": {}
  },
  "IsSuccessStatusCode": false
}

更新:按照文章中的建议添加边缘优化的自定义域名,但没有解决问题

标签: amazon-web-servicesaws-api-gatewayamazon-vpcapi-gateway

解决方案

直到我将 Nat 网关添加到我的 VPC 之前,对公共 api 网关(以及公共 Internet)的访问都被阻止了。此处描述了解决方案 - https://medium.com/@philippholly/aws-lambda-enable-outgoing-internet-access-within-vpc-8dd250e11e12

推荐阅读