Access Api Gateway API operation from VPC?

0
votes

I am trying to figure out how to access the Api Gateway service API (aka "Manage Amazon API Gateway") from a lambda running in a VPC. Not I'm not trying to invoke an resource method in a private API (I'm aware of how to create an execute-api VPC interface endpoint), just calling an AWS service method (get-api-key, FWIW, using a Python boto3 client). Hope that makes sense, hard to articulate this clearly with so many overloads of "API" here. Current attempts fail with a timeout, so I presume it's VPC-related, but I'm not sure how to provide access. I don't see any obvious endpoint types that would do so. I've seen references to using a NAT gateway for extra-VPC resources, but I'm not clear how (or if) this would apply. The VPC has a NAT Gateway configured, and the Lambda's security group allows all outbound traffic, see configurations below. Appreciate any suggestions.

NAT Gateway Configuration

NAT Gateway Configuration

Lambda Network Configuration Lambda Network Configuration

1
aws-api-gatewayamazon-vpc
vpc lambas have a 10+ seconds cold start, have you increase the lambda timeout to at least 30 seconds?Horatiu Jeflea
Changing the lambda timeout to 300s (max) has no effect on boto3 call timeout to apigwPeter Halverson
Which error do you get? have you replicated the issue by creating a lambda outside of the VPC to see that the VPC is the issue? I had a similar issue accessing the API gateway API directly via lambda, due to the fact I was using an older version of the lambda runtime where it wasn't fully supported: stackoverflow.com/questions/54781774/…robasaurus
No error at all, the lambda itself times out after 5 minutes whilst waiting for the get-api-key request to complete.Peter Halverson

1 Answers

2
votes

Accessing the Amazon API Gateway Control Plane API endpoints requires Internet access.

Lambda functions in a VPC can't access the Internet without a NAT Gateway or another type of NAT device. See How do I give internet access to my Lambda function in a VPC? ... or provision your Lambda function outside the VPC if it doesn't really need to be inside a VPC. Provisioned outside a VPC, Lambda functions have Internet access automatically.