- Mais recentes
- Mais votos
- Mais comentários
Using an Application Load Balancer (ALB) and Route53 is a common workaround to avoid sending a custom Host header when calling a private API Gateway with a VPC endpoint. However, another workaround you can consider is setting up an AWS Lambda function as a proxy between the client and the API Gateway.
- Create a Lambda function that receives the request from the client and forwards it to the private API Gateway.
- Configure the Lambda function to add the required Host header with the API ID before sending the request to the API Gateway.
- Expose the Lambda function using an API Gateway of its own, making it publicly accessible (if required). The public API Gateway can be a Regional or Edge-Optimized API.
- Clients can now call the public-facing API Gateway, which triggers the Lambda function, which in turn adds the required Host header and forwards the request to the private API Gateway.
This way, the clients do not need to provide the Host header, and the Lambda function handles it for them. Keep in mind that this approach adds an extra layer of complexity and may introduce some latency, as the Lambda function acts as a middleman in the process.
Not really an answer but more background information for those reading this later...
No, there isn't an easy workaround here. VPC endpoints for AWS services are "gateways" to the entire service. With API Gateway there needs to be a way to select which API endpoint the caller wants to connect to (out of all the endpoints that are defined within the same region). The Host
header is the way to do that - without it, the service doesn't know which "instance" of API Gateway the caller wants to use.
DNS isn't appropriate here as it is something that happens on the caller side before the TCP session is established. Client certificates can't be used (even in cases where they are supported) because they happen later in the protocol negotiation phase - they are bound to the API Gateway instance and in any case it's not practical to compare the certificate across all API Gateways for all customers. There is also be the possibility of a certificate being used by a single client to call multiple APIs so that's a blocker too.
That said: An interesting feature might be to create an API Gateway endpoint that only connects to a single API Gateway (rather than to the whole service). If that sounds interesting, you might discuss that with your local AWS Solutions Architect.
Thanks Brettski, yeah a workaround is to have a proxy before the api (another apigw as you suggest, or an ALB), and though not happy, is good to know that there are no alternative and get to know the reason behind. Thanks!
Conteúdo relevante
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 9 meses
- AWS OFICIALAtualizada há 7 meses
Thanks ;), though applicable, I don’t like this option.