By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Resolving private API Gateway endpoint from another VPC via a peering link

0
  • In VPC A, I've set up an API Gateway private API endpoint (xxxxxxxxxx.execute-api.eu-central-1.amazonaws.com)
  • I have set up a VPC peering link between VPC A and VPC B. DNS resolution has been enabled
  • Both VPCs have DNS names and DNS resolution enabled.
  • Instances in VPC A can reach the API endpoint successfully.

Instances in VPC B can resolve DNS names of instances in VPC A and vice versa.

HERE IS THE PROBLEM

  • Instances in VPC B cannot resolve execute-api.eu-central-1.amazonaws.com

TRIED USING ROUTE53 RESOLVER ENDPOINTS

  • I set up a Route53 inbound endpoint in VPC A
resource "aws_route53_resolver_endpoint" "inbound_resolver_ep" {
  name = "private-api-inbound-resolver-endpoint"
  direction      = "INBOUND"
  security_group_ids = [aws_security_group.inbound_resolver_ep_sg.id]
  ip_address {
    subnet_id = aws_subnet.private_sn_az1.id
    ip = "10.0.1.10"
  }
  ip_address {
    subnet_id = aws_subnet.private_sn_az2.id
    ip = "10.0.2.10"
  }
  tags = {
    Name = "private-api-inbound-resolver-endpoint"

  }
}

In VPC B I setup an outbound Route53 endpoint with 1 resolver rules

resource "aws_route53_resolver_endpoint" "outbound_resolver_ep" {

  name      = "private-api-outbound-resolver-endpoint"
  direction = "OUTBOUND"
  security_group_ids = [aws_security_group.outbound_resolver_ep_sg.id]

  ip_address {
    subnet_id = aws_subnet.api_client_pri_sn_az1.id
    ip        = "172.128.1.10"
  }

  ip_address {
    subnet_id = aws_subnet.api_client_pri_sn_az2.id
    ip        = "172.128.2.10"
  }

  tags = {
    Name = "private-api-resolver-endpoint"
  }
}


resource "aws_route53_resolver_rule" "private_api_resolver_rule" {
  name        = "private-api-resolver-rule"
  domain_name = var.private_api_domain_name
  rule_type   = "FORWARD"
  
  resolver_endpoint_id = aws_route53_resolver_endpoint.outbound_resolver_ep.id
  target_ip     {
    ip = "10.0.1.10"
  }
  target_ip     {
    ip = "10.0.2.10"
  }
  tags = {
    Name = "private-api-resolver-rule"
  }
}

RESULTS

  • Same as before. I can resolve instance DNS names in both VPCs. Instances in VPC B can resolve the Interface Endpoint of the private API Gateway. But instances in VPC B cannot resolve the DNS name of the private API Gateway endpoint.
sh-5.2$ nslookup scnejgvlzb.execute-api.eu-central-1.amazonaws.com
Server:         172.128.0.2
Address:        172.128.0.2#53

** server can't find scnejgvlzb.execute-api.eu-central-1.amazonaws.com: NXDOMAIN

sh-5.2$ curl -X POST https://scnejgvlzb.execute-api.eu-central-1.amazonaws.com/dev/claim
curl: (6) Could not resolve host: scnejgvlzb.execute-api.eu-central-1.amazonaws.com

sh-5.2$ nslookup vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Server:         172.128.0.2
Address:        172.128.0.2#53

Non-authoritative answer:
Name:   vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Address: 10.0.1.199

sh-5.2$ nslookup ip-10-0-1-97.eu-central-1.compute.internal
Server:         172.128.0.2
Address:        172.128.0.2#53

Non-authoritative answer:
Name:   ip-10-0-1-97.eu-central-1.compute.internal
Address: 10.0.1.97

sh-5.2$

sh-5.2$ ping ip-10-0-1-187.eu-central-1.compute.internal
PING ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187) 56(84) bytes of data.
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=1 ttl=127 time=0.299 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=2 ttl=127 time=0.432 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=3 ttl=127 time=0.470 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=4 ttl=127 time=0.406 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=5 ttl=127 time=0.412 ms
^C
--- ip-10-0-1-187.eu-central-1.compute.internal ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.299/0.403/0.470/0.056 ms
sh-5.2$

sh-5.2$ curl http://ip-10-0-1-187.eu-central-1.compute.internal
<html><body><h1>It works!</h1></body></html>
sh-5.2$

NB

  • This is my first time working with R53 resolver endpoints so I might be missing something.
  • the project is deployed with Terraform. In the project, VPC A is called api_vpc and VPC B is called client_vpc
  • curl to HTTP port 80 and pings to DNS names from client_vpc instances to api_vpc work.
  • But client_vpc cannot resolve execute-api.eu-central-1.amazonaws.com
Topics
Networking & Content DeliveryServerlessFront-End Web & Mobile
Tags
Amazon VPCAmazon API GatewayTerraformAmazon Route 53 Resolver
Language
English
Fon
asked 2 months ago181 views
1 Answer
1
Accepted Answer

To resolve the issue of instances in VPC B not being able to resolve the execute-api.eu-central-1.amazonaws.com domain, you can use Route 53 Resolver endpoints in a specific way:

  • Create an Outbound Resolver Endpoint in VPC B: This allows DNS queries originating from instances within VPC B to be resolved externally. You will need to specify the VPC and the subnets within VPC B where the endpoint will be located, and also define the security group rules to control the traffic.
  • Create Resolver Rules for Forwarding DNS Queries: Create a Resolver rule that specifies the domain name for the API Gateway endpoint (execute-api.eu-central-1.amazonaws.com) and configures it to forward queries to the Amazon-provided DNS servers (usually reachable at the base of the VPC IP range plus two; for example, if your VPC's IP range is 10.0.0.0/16, the Amazon DNS is at 10.0.0.2). This rule should be associated with the outbound Resolver endpoint in VPC B.
  • Associate the Resolver Rule with VPC B: Ensure that the created Resolver rule is associated with VPC B so that DNS queries from this VPC for the specified domain are forwarded according to the rule.
  • Update Route 53 Resolver DNS Settings in VPC B if Necessary: Ensure that the DNS settings for VPC B are configured to use the Route 53 Resolver (this is usually the default setting for new VPCs but should be verified).

This setup allows instances in VPC B to resolve the API Gateway endpoint by forwarding their DNS queries through the Route 53 Resolver outbound endpoint to the external DNS servers that can resolve the API Gateway domain name. Here's a complete demo, including Terraform code demonstrating how to solve this problem: VPC Endpoint Cross Region Access using Terraform.

Andrei Maksimov
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • Fon
    2 months ago

    Hi Andrei,

    Thanks for the detailed breakdown.

    My errors were on points 2 and 3. So to resolve the DNS for the private API Gateway endpoint in VPC B, I did the following;

    1. Added the VCP+2 IP address to the outbound resolver rule in VPC B
    2. Added the aws_route53_resolver_rule_association resource to associate the resolver rule with VPC B

    Thanks again.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content