APIGateway 私有API的VPC endpoint是否开启DNS有什么区别
APIGateway 私有API的VPC endpoint是否开启DNS有什么区别
未启用私有DNS
从vpc内访问APIGateway regional api(非私有API)不受影响,会将APIGateway的解析为公有IP
$ curl https://region-app-id.execute-api.cn-north-1.amazonaws.com.cn/dev [ { "id": 1, "type": "fish", "price": 249.99 }, { "id": 2, "type": "fish", "price": 124.99 }, { "id": 3, "type": "fish", "price": 0.99 } ]从vpc内访问私有API
无法使用私有DNS名称调用私有API,私有DNS名称没有解析结果$ curl https://private-app-id.execute-api.cn-north-1.amazonaws.com.cn/dev curl: (6) Could not resolve host: hc31cifr6a.execute-api.cn-north-1.amazonaws.com.cn使用特定于终端节点的公有DNS主机名调用私有API成功
$ curl https://vpce-xxxxx-8xxxxxgm.execute-api.cn-north-1.vpce.amazonaws.com.cn/dev -H'x-apigw-api-id:app-id' [ { "id": 1, "type": "dog", "price": 249.99 }, { "id": 2, "type": "cat", "price": 124.99 }, { "id": 3, "type": "fish", "price": 0.99 } ]
启用了私有DNS
从vpc内访问Regional api受影响,解析为私有IP
$ curl -v https://app-id.execute-api.cn-north-1.amazonaws.com.cn/dev * Host app-d.execute-api.cn-north-1.amazonaws.com.cn:443 was resolved. * IPv6: (none) * IPv4: 10.0.10.240, 10.0.150.229 * Trying 10.0.10.240:443... * Connected to cpvnfwf97a.execute-api.cn-north-1.amazonaws.com.cn (10.0.10.240) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption * ALPN: server accepted http/1.1 * Server certificate: * subject: CN=*.execute-api.cn-north-1.amazonaws.com.cn * start date: Dec 17 00:00:00 2023 GMT * expire date: Nov 29 23:59:59 2024 GMT * subjectAltName: host "app-id.execute-api.cn-north-1.amazonaws.com.cn" matched cert's "*.execute-api.cn-north-1.amazonaws.com.cn" * issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01 * SSL certificate verify ok. * Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/1.x > GET /dev HTTP/1.1 > Host: app-id.execute-api.cn-north-1.amazonaws.com.cn > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 403 Forbidden < Server: Server < Date: Mon, 10 Jun 2024 02:26:05 GMT < Content-Type: application/json < Content-Length: 23 < Connection: keep-alive < x-amzn-RequestId: 202d0b5f-744a-4b06-b129-9936e066e3be < x-amzn-ErrorType: ForbiddenException < x-amz-apigw-id: apigw-id < * Connection #0 to host cpvnfwf97a.execute-api.cn-north-1.amazonaws.com.cn left intact {"message":"Forbidden"}从vpc内访问Private api
使用私有DNS名称调用私有API成功$ curl https://app-id.execute-api.cn-north-1.amazonaws.com.cn/dev [ { "id": 1, "type": "dog", "price": 249.99 }, { "id": 2, "type": "cat", "price": 124.99 }, { "id": 3, "type": "fish", "price": 0.99 } ]使用特定于终端节点的公有DNS主机名调用私有API成功
$ curl https://vpce-xxxxx-84szh5gm.execute-api.cn-north-1.vpce.amazonaws.com.cn/dev -H'x-apigw-api-id:app-id' [ { "id": 1, "type": "dog", "price": 249.99 }, { "id": 2, "type": "cat", "price": 124.99 }, { "id": 3, "type": "fish", "price": 0.99 } ]
