AWS: Can I give a Lambda function inside a VPC access to a public Websockets API Gateway?

Question

I have a public API in API Gateway using Websockets protocol. I'm storing its connection IDs in a datastore inside my VPC, and trying to write a Lambda to read those connection IDs and then send data to each of them - using await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise();. This times out - the Lambda is unable to send messages to the API gateway. So I tried adding a Gateway to execute-api: aws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz. Now I get ForbiddenException: Forbidden thrown by my calls to apigwManagementApi.

I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html and leads to creating private APIs - I don't want this, I need my API to be public.

I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don't work as they don't have a resource policies option.

Answer 1

I asked about this on the AWS Slack and it's not possible to use resource policies and would add a lot of networking complexity: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500

From an AWS dev in that thread:

hey there - when Lambda is VPC enabled, its subject to all routing rules of your VPC and Subnet.

To hit any public resource, you will need a NAT GW, routing rules, and SG setting to allow communication.

Resource polices will not work.

Answer 2

I had the same problem - this document explains the reason for it (https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/).

To fix it you need to add an edge-optimized custom domain name, which entails the following:

• Add a certificate into AWS ACM (you'll need the cert, private key and provider root cert) into us-east-1 ACM manager (you have to add it to us-east-1 to see it in the edge-optimized cert list).

• In the API Gateway console go to Custom Domain Names and Create a new one.

• Set your domain name, leave the type as edge-optimized and apply the cert that you just created

• Once the domain is set up (it takes around 40 minutes) you can add base path mappings to send traffic to your apis / stages.