Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS: Can I give a Lambda function inside a VPC access to a public Websockets API Gateway?

I have a public API in API Gateway using Websockets protocol. I'm storing its connection IDs in a datastore inside my VPC, and trying to write a Lambda to read those connection IDs and then send data to each of them - using await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise();. This times out - the Lambda is unable to send messages to the API gateway. So I tried adding a Gateway to execute-api: aws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz. Now I get ForbiddenException: Forbidden thrown by my calls to apigwManagementApi.

I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html and leads to creating private APIs - I don't want this, I need my API to be public.

I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don't work as they don't have a resource policies option.

like image 353
Callum M Avatar asked Oct 23 '25 14:10

Callum M


2 Answers

I asked about this on the AWS Slack and it's not possible to use resource policies and would add a lot of networking complexity: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500

From an AWS dev in that thread:

hey there - when Lambda is VPC enabled, its subject to all routing rules of your VPC and Subnet.

To hit any public resource, you will need a NAT GW, routing rules, and SG setting to allow communication.

Resource polices will not work.

like image 84
Callum M Avatar answered Oct 25 '25 06:10

Callum M


I had the same problem - this document explains the reason for it (https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/).

To fix it you need to add an edge-optimized custom domain name, which entails the following:

  • Add a certificate into AWS ACM (you'll need the cert, private key and provider root cert) into us-east-1 ACM manager (you have to add it to us-east-1 to see it in the edge-optimized cert list).

  • In the API Gateway console go to Custom Domain Names and Create a new one.

  • Set your domain name, leave the type as edge-optimized and apply the cert that you just created

  • Once the domain is set up (it takes around 40 minutes) you can add base path mappings to send traffic to your apis / stages.

like image 39
Liam Avatar answered Oct 25 '25 07:10

Liam