I am trying to setup a private AWS API Gateway and connect to it from my laptop. The laptop resides in a network which is AWS Direct Connect'ed to a private VPC. I am using the toy-example "PetStore" API provided by AWS for this purpose.
According to this guide:
- established a API Gateway service endpoint to my VPC (private DNS disabled)
- gave it a security group that allows ALL inbound traffic from the local network (in which my laptop resides)
- created the API Gateway as private API
- updated the resource policy
- deployed the API as stage V1
Assume:
- AWS account number: 123456789012
- AWS region: eu-central-1
- API Gateway ID: abcdefghij
- API Stage: V1
- VPC Endpoint Domanin: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
- VPC Endpoint IP: 10.10.10.10
To invoke my API, I call the following cURL command:
curl -v https://vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com/V1/pets -H 'Host: abcdefghij.execute-api.eu-central-1.amazonaws.com' --noproxy "*"
and this is the result:
* Trying 10.10.10.10...
* TCP_NODELAY set
* Connected to vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com (10.54.251.244) port 443 (#0)
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 240 bytes...
* schannel: sent initial handshake data: sent 240 bytes
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4000
* schannel: encrypted data buffer: offset 4000 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5024 length 5024
* schannel: encrypted data length: 95
* schannel: encrypted data buffer: offset 95 length 5024
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 252
* schannel: encrypted data buffer: offset 347 length 5024
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5024
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /V1/pets HTTP/1.1
> Host: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 364
* schannel: encrypted data buffer: offset 364 length 103424
* schannel: decrypted data length: 283
* schannel: decrypted data added: 283
* schannel: decrypted data cached: offset 283 length 102400
* schannel: encrypted data length: 52
* schannel: encrypted data cached: offset 52 length 103424
* schannel: decrypted data length: 23
* schannel: decrypted data added: 23
* schannel: decrypted data cached: offset 306 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 306 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 306
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Fri, 25 Oct 2019 11:32:01 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: a5aa9f76-4e3b-4315-838a-e859fa192ade
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: jdsak!291kd
<
{"message":"Forbidden"}* Connection #0 to host vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com left intact
* Rebuilt URL to: abcdefghij.execute-api.eu-central-1.amazonaws.com'/
* Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
* Closing connection 1
curl: (6) Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
There is this {"message":"Forbidden"}
which I am not sure from where it comes. And also the error Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com
.
So my question is: where this issue comes from?
APPENDIX
Resource policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
}
]
}