1 Answer
- Newest
- Most votes
- Most comments
3
Hello.
Yes, you can access a Private REST API Gateway in Account B via a centralized VPC endpoint (interface VPC endpoint) deployed in Account A
Steps to Set Up Cross-Account Access to Private API Gateway.
1. Create a Private API Gateway in Account B:
- Go to API Gateway in the AWS Management Console of Account B.
- Create a new Private API and deploy it.
2. Set Up VPC Endpoint in Account A:
- In Account A, ensure you have a VPC Endpoint (with the type set to Interface) created for the API Gateway service (com.amazonaws.region.execute-api).
- Configure the VPC Endpoint to allow traffic from the security group or VPC in Account B that will be accessing it.
3. Add Resource Policy to Private API Gateway:
- Go to your Private API in Account B and add a Resource Policy to allow access from the centralized VPC endpoint in Account A.
- The policy should look something like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:<region>:<account-id>:<api-id>/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "<vpc-endpoint-id>"
}
}
}
]
}
4. Set Up Route 53 Private Hosted Zone:
- In Account A, ensure your Route 53 private hosted zone has a record that points to your Private API Gateway's URL.
- This allows services within the centralized VPC to resolve the Private API Gateway endpoint correctly.
5. Access the API from Account A:
- From resources in Account A (like EC2 instances), you can access the Private API Gateway using the URL provided by the API Gateway.
- Ensure the security group attached to the VPC endpoint allows inbound traffic from the EC2 instances or resources trying to access the API.
Relevant content
- asked 10 months ago
- AWS OFFICIALUpdated 2 months ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago