可以从另一个帐户的VPC将白名单私有API GW API列入白名单 [英] Whitelist private API GW api to be accessible from a VPC from another account

问题描述

我在Amazon API Gateway中有一个私有API我想被另一个帐户使用，并由具有VPC支持的lambda来使用.我修改了API ResourcePolicy，以允许根据

I have a Private API in Amazon API Gateway that I want to be consumed from another account, by a lambda with VPC support. I modified the API ResourcePolicy to allow private API traffic based on source VPC as specified here, in the last example. This is how my ResourcePolicy looks like:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": "arn:aws:execute-api:my-region:my-account:api-id/*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "my-vpce"
            }
        }
    },
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": ""arn:aws:execute-api:my-region:my-account:api-id/*",
        "Condition": {
            "StringEquals": {
                "aws:SourceVpc": "my-vpc-from-another-account"
            }
        }
    }
]
}

现在，当我尝试使用 https://my-api-id.execute-api.us-west-2.amazonaws.com/my-stage/端点使用API​​时，我收到 getaddrinfo ENOTFOUND 错误.这是公开私有API以便从另一个帐户从VPC访问的适当方法吗?

Now, when I try to consume the API using https://my-api-id.execute-api.us-west-2.amazonaws.com/my-stage/ endpoint, I get getaddrinfo ENOTFOUND error. Is this the appropriate way to expose private API to be accessible from a VPC from another account?

推荐答案

aws:SourceVpc 和 aws:VpcSourceIp 对应于VPC端点所在的VPC，不是，作为来源"会建议发出请求的VPC.

aws:SourceVpc and aws:VpcSourceIp correspond to the VPC in which the VPC Endpoint resides, not, as "source" would suggest, the VPC from which the request originates.

至少，当流量通过Transit Gateway路由时，我可以确认这是真的，我还没有使用VPC对等测试.

At least, I can confirm that's true when the traffic is routed over Transit Gateway, I haven't tested this with VPC Peering.

当您的VPC端点与请求所来自的VPC不在同一个VPC中时，您不能使用aws:SourceVpc或aws:VpcSourceIp来限制基于请求来源的访问.

When your VPC Endpoint resides in a different VPC than the VPC the request is coming from, you cannot use aws:SourceVpc or aws:VpcSourceIp to restrict access based on the request origin.

如果您需要限制访问权限以仅允许来自特定VPC的请求，则实际上只有一个可靠的选择，那就是在请求源VPC中创建VPC端点，并使用 aws:SourceVpc在资源策略中.

If you have a requirement to restrict access to only allow requests that originate from a particular VPC, there's really only one solid option, and that's to create a VPC Endpoint in the request origin VPC, and use aws:SourceVpc in the resource policy.

我已通过AWS Support确认了这一点，并已反馈此文档需要对此进行一些改进.

I have confirmed this with AWS Support, and have passed on feedback that the documentation is in need of some improvement on this point.

这篇关于可以从另一个帐户的VPC将白名单私有API GW API列入白名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！