UnknownHostException when trying to connect to a AWS Gateway Private API

0
votes

I followed this:

to a tee to create a private link between my REST API endpoint.

Essentially, steps that I have done:

  • Converted a (previously working) Edge API to a private API (via the AWS API Gateway Console)

  • Created a VPC with 2 public subnets and 2 private subnets using this template: https://s3.amazonaws.com/computeblog-us-east-1/apigateway-private-endpoints/BaseVPC.template

  • Confirmed that DNS naming and DNS resolution are enabled on the VPC.

  • Created a VPC endpoint that attached to the VPC created above. Private DNS is enabled.

  • Added this resource policy to the API, then redeployed it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:{aws-account-id}:{rest-api-id}/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-{endpoint}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:{aws-account-id}:{rest-api-id}/*/*/*"
        }
    ]
}

I then used a Java Client created by the AWS SDK: https://aws.amazon.com/sdk-for-java/ to invoke the API, and got hit with this error:

com.amazonaws.SdkClientException: Unable to execute HTTP request: {rest-api-id}.execute-api.us-west-2.amazonaws.com

...

Caused by: java.net.UnknownHostException: {rest-api-id}.execute-api.us-west-2.amazonaws.com

Same issue happened when I used Postman.

As indicated in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html as well as API Gateway console, if I have private DNS enabled, I should be able to invoke the API using the url.

Do I misunderstand something? What is the correct way to be able to successfully invoke the API?

1
javaamazon-web-servicesdnsapi-gatewayvpc
Can you show how you invoke api? - MrFisherman
Where are you running your Java client/postman, If you are running from your local machine, do you have private connectivity enabled? you are just showing {rest-api-id} in logs as an example correct actual log has abcsomething.execute-api.us-west-2.. , correct? - Balu Vyamajala
IF this is private API, it must be called from within the VPC, e.g. on ec2 instance. Can you confirm and show how are you trying to invoke the API? - Marcin
@Marcin you're right, I believe it may be the problem, as I'm not connected to any EC2 instance right now. With the current setup following the tutorials, how do I determine which E2 instance to connect to? More details I go to the EC2 page on the same AWS account with the VPC and VPCE, and the current number of instances running is 0. There's only a security group: EndpointSG sg-{number}, is that the correct one to connect to? - Katie
Start with basic t2.micro and just test with curl if you can indeed invoke your api correctly. Then you can take it from there how to use postman (e.g. ssh tunnel). - Marcin

1 Answers

0
votes

The resource policy should have the condition based on VPC Endpoint and not on VPC as showed. Try replacing "aws:sourceVpc": "vpce-{endpoint}" by "aws:sourceVpce": "vpce-{endpoint}" and then deploy again.