By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Private APIGateway failing health checks from Target Group

0

I have a Private, Regional, Restful API, sitting on the AWS APIGateway for the account. Additionally, I have an ALB in it's own VPC, with IP target groups that I am trying to connect to these VPC Endpoints. Following the below: https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/

I have created a VPC Endpoint for the execute-api service, but the target groups are always unhealthy.

I have put an EC2 instance in the same VPC as the ALB, and perform: curl -vk GET https://<API ID>.execute-api.ap-southeast-2.amazonaws.com/prod/health, it returns 200, if i do curl -vk https://<Private IP address>/prod/health it return 403. Both as expected.

I have set the target group health check status to be 200,403.

Any advice?

asked 8 months ago482 views
1 Answer
0

Hello.

I think the explanation below is probably relevant.
https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/

Note: ALB will be validating the health of API gateway by sending HTTPS requests to IP addresses of VPC endpoints. API Gateway will respond with the 403 code (access forbidden), as ALB will not be providing the correct domain name and stage URL during the health check probes.

Did you set "Matcher" to 403 in the target group health check settings?
I think the health check will be successful if you set "Matcher" (Success Code) to 403 as per the above document.
Also, do you ever get a status code returned from API Gateway that is different from the status code expected in the health check?
For example, if I specify the status code as "200-499", will it succeed?
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html

profile picture
EXPERT
answered 8 months ago
  • Thank you for taking the time to reply, but as stated, above: I have set the target group health check status to be 200,403., so yes I have tried to set 403 as one of the acceptable result codes, I have also tried ti with ONLY 403.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions