[英]AWS: Can I give a Lambda function inside a VPC access to a public Websockets API Gateway?
I have a public API in API Gateway using Websockets protocol.我在使用 Websockets 协议的 API 网关中有一个公共 API。 I'm storing its connection IDs in a datastore inside my VPC, and trying to write a Lambda to read those connection IDs and then send data to each of them - using
await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise();
我将其连接 ID 存储在我的 VPC 内的数据存储中,并尝试编写 Lambda 来读取这些连接 ID,然后将数据发送给它们中的每一个 - 使用
await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise();
. . This times out - the Lambda is unable to send messages to the API gateway.
此超时 - Lambda 无法将消息发送到 API 网关。 So I tried adding a Gateway to
execute-api
: aws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz
.所以我尝试将网关添加到
execute-api
: aws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz
。 Now I get ForbiddenException: Forbidden
thrown by my calls to apigwManagementApi.现在我得到了
ForbiddenException: Forbidden
由我对 apigwManagementApi 的调用引发的。
I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html and leads to creating private APIs - I don't want this, I need my API to be public. I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs .aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html并导致创建私有 API - 我不想要这个,我需要我的 API 公开。
I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don't work as they don't have a resource policies option. I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don'无法工作,因为他们没有资源策略选项。
I asked about this on the AWS Slack and it's not possible to use resource policies and would add a lot of networking complexity: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500我在 AWS Slack 上问过这个问题,它不可能使用资源策略并且会增加很多网络复杂性: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500
From an AWS dev in that thread:来自该线程中的 AWS 开发人员:
hey there - when Lambda is VPC enabled, its subject to all routing rules of your VPC and Subnet.
嘿,当 Lambda 启用 VPC 时,它受 VPC 和子网的所有路由规则的约束。
To hit any public resource, you will need a NAT GW, routing rules, and SG setting to allow communication.
要访问任何公共资源,您将需要 NAT GW、路由规则和 SG 设置以允许通信。
Resource polices will not work.
资源策略将不起作用。
I had the same problem - this document explains the reason for it ( https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ ).我遇到了同样的问题 - 本文档解释了它的原因( https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ )。
To fix it you need to add an edge-optimized custom domain name, which entails the following:要修复它,您需要添加一个边缘优化的自定义域名,这需要以下内容:
Add a certificate into AWS ACM (you'll need the cert, private key and provider root cert) into us-east-1 ACM manager (you have to add it to us-east-1 to see it in the edge-optimized cert list).将证书添加到 AWS ACM(您需要证书、私钥和提供商根证书)到us-east-1 ACM 管理器(您必须将其添加到 us-east-1 才能在边缘优化证书中看到它列表)。
In the API Gateway console go to Custom Domain Names and Create a new one.在 API 网关控制台 go 中自定义域名并新建一个。
Set your domain name, leave the type as edge-optimized and apply the cert that you just created设置您的域名,将类型保留为边缘优化并应用您刚刚创建的证书
Once the domain is set up (it takes around 40 minutes) you can add base path mappings to send traffic to your apis / stages.设置域后(大约需要 40 分钟),您可以添加基本路径映射以将流量发送到您的 api/stage。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.