I have had quite a bit of trouble creating a private API in API Gateway. I couldn't see what was going on. Also, I have a bit of frustration with the documentation around this and the staging ability of the api.
Here is where I found my answer (Go to the 6:40 mark). I already had a VPC only Lambda. I already created an api to talk to it, but it wasn't private. So I changed it to a private gateway. By necessity, you need to create an endpoint in your vpc with an appropriate security policy for the subnet. You need to create a resource policy. Nothing will happen until you do so. Here is mine.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123412341234:123123123/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-0d1269e48cb412a21"
}
}
}
]
}
It is kind of confusing how it is done in the sample they provide, but you can create a list of IPs or whatnot in the condition statement. This is to allow anything coming in from that endpoint to access the API.
The next element, and this is crucial, is to redeploy the api. Evidently, the policy doesn't get implemented without the new deployment. It can be to the same stage, so that URL doesn't need to change, but you NEED TO REDEPLOY.
No comments:
Post a Comment