New private API Gateway endpoints causing edge endpoints to not be accessible from VPC

I was excited to hear about Serverless Framework supporting AWS API Gateway private endpoints and decided to play around with them. After reading the blog post and the AWS docs, I got everything running successfully.

However, adding the VPC endpoint with DNS resolution results in all of my “Edge Optimized” API domain names (ex. *.execute-api.us-east-1.amazonaws.com) resolving to VPC IP addresses. Edge Optimized APIs still work fine from outside the VPC, but inside the VPC they return a 403 error with {“message”:“Forbidden”}.

Is there a way to authorize requests from the VPC for Edge Optimized APIs?

1 Like

Any luck with this? I’m currently stuck at the same point and the only workaround I found is to add the external resolved IP to the etc/hosts file, which is kinda ugly.

Hello Guys,

I’m actually facing the same issue, is someone able to find a solution ?

Hello,
I just found the solution, I forget to add the ressource policy to allow the private endpoint to access the API :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:eu-west-1:xxxxxxxx:xxxxxxxx/*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-xxxxxxxxxxxxx"
        }
      }
    }
  ]
}

Where do i add this policy? Thanks.