Chalice: Chalice did not configure vpc endpoint correctly for private API
I'm trying to create a private api while specifying the VPC endpoint. It created the private API but I do not see the vpce configuration when I try to verify it via AWS CLI and console
cli output:
{
"id": "xxxxx",
"name": "app",
"createdDate": 1591091485,
"version": "1.0",
"apiKeySource": "HEADER",
"endpointConfiguration": {
"types": [
"PRIVATE"
]
},
"tags": {}
}
config.json
{
"stages": {
"dev": {
"api_gateway_stage": "api",
"api_gateway_endpoint_type": "PRIVATE",
"api_gateway_endpoint_vpce": ["vpce-xxxxxx"],
"autogen_policy": false,
}
},
"version": "2.0",
"app_name": "app"
}
choonming
All 7 comments
I wanted to second this; my config contains:
"stages": {
"dev": {
"api_gateway_stage": "api",
"api_gateway_endpoint_type": "PRIVATE",
"api_gateway_endpoint_vpce": ["vpce-####"]
}
}
However upon deploying, it's deployed as PRIVATE but does not have the VPCE selected. I'm having to use the console to manually add the VPCE to the API gateway config after every deployment. (I'm sure I could script it but..)
texlan
on 10 Jul 2020
@jamesls could you look into this?
choonming
on 21 Jul 2020
Sorry for the delay, taking a look now.
jamesls
on 24 Jul 2020
Looking into this more, how are you invoking your private API? (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html).
If you want to use the Route 53 DNS alias record, then we'd need to associate the VPC endpoint with the REST API (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint), which looking over the current code, doesn't look like we do that. Can you confirm that's what you're saying is missing?
As an aside, when I tried to set this up, both the URL from the output of chalice deploy as well as the {rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage} endpoint worked for me (testing from a lambda function within the VPC). I'm curious what specific problems you're running into with the way Chalice currently configures the REST API endpoint so I can understand the severity of this better. This will help determine if this should be a change to the default behavior or an optional config option you have to specify.
Chalice config:
$ cat .chalice/config.json
{
"version": "2.0",
"app_name": "testapi",
"stages": {
"dev": {
"api_gateway_stage": "api",
"api_gateway_endpoint_type": "PRIVATE",
"api_gateway_endpoint_vpce": ["vpce-abcd"],
"api_gateway_stage": "api",
"subnet_ids": ["subnet-abcd1", "subnet-abcd2"],
"security_group_ids": ["sg-abcd"]
}
}
}
App code:
from chalice import Chalice
import requests
app = Chalice(app_name='testapi')
app.debug = True
@app.route('/')
def index():
return {"hello": "world"}
@app.lambda_function()
def make_request(event, context):
url1 = 'https://{rest-api-id}.execute-api.us-east-1.amazonaws.com/api/'
url2 = 'https://{rest-api-id}-vpce-abcd.execute-api.us-east-1.amazonaws.com/api/'
response1 = requests.get(url1)
response2 = requests.get(url2)
return [
{'url': url1, 'status': response1.status_code,
'body': response2.text},
{'url': url2, 'status': response2.status_code,
'body': response2.text},
]
Deploying:
$ chalice deploy
Creating deployment package.
Updating policy for IAM role: testapi-dev
Creating lambda function: testapi-dev-make_request
Updating lambda function: testapi-dev
Updating rest API
Resources deployed:
- Lambda ARN: arn:aws:lambda:us-east-1:12345:function:testapi-dev-make_request
- Lambda ARN: arn:aws:lambda:us-east-1:12345:function:testapi-dev
- Rest API URL: https://{rest-api-id}.execute-api.us-east-1.amazonaws.com/api/
Results:
$ chalice invoke -n make_request
[
{
"url": "https://abcd.execute-api.us-east-1.amazonaws.com/api/",
"status": 200,
"body": "{\"hello\":\"world\"}"
},
{
"url": "https://abcd-vpce-efgh.execute-api.us-east-1.amazonaws.com/api/",
"status": 200,
"body": "{\"hello\":\"world\"}"
}
]
Hi @jamesls, indeed I was referring to chalice associating the VPCE to the API GW. I was under the impression from the documentation that by providing the VPC endpoint, it would be associated with the API GW itself.t
choonming
on 25 Jul 2020
Hi!
Is the functionality to automatically set the VPC Endpoint, like @choonming expected, available somewhere in the Chalice? I seems that the requirements that are put on me - require this setting.
mt3o
on 15 Sep 2020
This same is happening to me, I added the vpc endpoint configuracion in my config.json but when the app is deployed in API Gateway settings the vpce is not set, I have to add it manually or with the following command:
aws apigateway update-rest-api \
--rest-api-id u67n3ov968 \
--patch-operations "op='add',path='/endpointConfiguration/vpcEndpointIds',value='vpce-01d622316a7df47f9'"
--region us-west-2
(https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint)
QiqeMtz
on 15 Sep 2020
Related issues
davidolmo
路
3Comments
cdalar
路
4Comments
calz1
路
3Comments
whatsdis
路
4Comments
AtaruOhto
路
3Comments
Most helpful comment
This same is happening to me, I added the vpc endpoint configuracion in my config.json but when the app is deployed in API Gateway settings the vpce is not set, I have to add it manually or with the following command:
aws apigateway update-rest-api \ --rest-api-id u67n3ov968 \ --patch-operations "op='add',path='/endpointConfiguration/vpcEndpointIds',value='vpce-01d622316a7df47f9'" --region us-west-2(https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint)