API Gateway Private Endpoints

learn API Gateway private endpoints

Setup Steps

configure API Gateway private endpoint that leverages HTTP proxy integration. Test via lambda with VPC config that issues HTTP GET request to vpc endpoint.

Notes

  • supported on REST API endpoints (not HTTP API at the time 2021-04-05)
  • be sure to re-deploy API for policy changes
  • check security groups
  • check VPC endpoint policy
  • check lambda VPC config and security groups

API Gateway resource policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:529276214230:scheqe4ymi/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": "vpce-02b487f2d021986fb"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:529276214230:scheqe4ymi/*"
        }
    ]
}

note the Deny + Allow combination*


Lambda test code

const https = require('https');

exports.handler =  (event, context, callback) => {
   // https://scheqe4ymi.execute-api.us-east-1.amazonaws.com/prod
    var options = {
      host: 'vpce-02b487f2d021986fb-yl0hav78.execute-api.us-east-1.vpce.amazonaws.com',
      path: '/prod/index.html',
      method: 'GET',
      port: 443,
      headers: {
          'Host':'scheqe4ymi.execute-api.us-east-1.amazonaws.com'
      }
    };

    const cb = function(response) {
      let str = '';
      response.on('data', function (chunk) {
        str += chunk;
      });
      response.on('end', function () {
        console.log(str);
        const response = {
            statusCode: 200,
            body: JSON.stringify(str),
        };
        callback(null, response)
        return response;
      });
    }

    https.request(options, cb).end();
}

note the Host header that allows for the request to be routed

Screenshots

vpc endpoint

vpc endpoint policy

allowed vpc endpoint ids to api gateway

Resources