Amazon Web Services – Resolving 403 Forbidden Error When Connecting to API from VPC through API Gateway
The Amazon API Gateway is used to create scalable APIs. It can perform additional functionalities like publishing the API, monitoring and maintaining the API. These can also be used to develop RESTful APIs and WebSocket APIs which can be used for real-time two-way communication between the client and the server. In simpler words we can say that, the Amazon API Gateway is one spot for accepting, processing and managing APIs concurrently on a large scale.
In this article, we will resolve the error 403 forbidden that occurs while accessing a public API gateway API from within a Virtual Private Cloud(VPC). To resolve the 403 Forbidden error follow the below steps:
Step 1: First check if there is a VPC endpoint for the Execute API service, related within the VPC. To check this go to the AWS management console.
Step 2: After logging into the AWS management console navigate to the VPC console.
Step 3: Then choose Endpoints in the left navigation panel.
Here you can see the list of interface VPC endpoints in the current region for your account.
Step 4: Now filter the VPC endpoints using the VPC ID.
Step 5: Again filter the VPC endpoints using the Service name.
Now you can see the VPC endpoint for the execute API service, related within the VPC.
Note that VPC endpoints with Private DNS enabled will route all the API gateway requests to this VPC endpoint because we can access the private API gateway endpoint only from this VPC endpoint. We can’t access any public API gateway APIs and AWS will throw the error “403 forbidden”.
There are two ways we can resolve this error:
- Use a custom domain name.
- Disable the private DNS on the VPC endpoint that’s in use and then access the private APIs using the public DNS name of the VPC endpoint
Note: Any clients that are using the private DNS name will no longer be able to connect to the private API and would have to use the public DNS name of the VPC endpoint instead.
Let’s look into how to disable the private DNS name settings for a VPC endpoint.
Step 1: Using the VPC endpoint console select the VPC endpoint whose settings you want to change.
Step 2: Choose Actions followed by Modify Private DNS names option.
Step 3: To enable private DNS name, clear the checkmark next to “enable for this endpoint”. Then choose “Modify Private DNS names” to save your changes.
After the private DNS name setting is disabled you can access the private API gateway APIs using the below command in the AWS command-line interface.
curl -X GET -v https://apiId.execute-api.region.amazonaws.com/stageName/resourceName
This will resolve the 403 Forbidden Error in the API Gateway connection.