We have Private APIs with API-G endpoints backed by a Lamba within a VPC and Subnet.
We also have a step function that relies on these API endpoints within the same account.
What policies should we add to allow step function invoke Private APIs ? This is the error I see during step function executions -
{
"resourceType": "apigateway",
"resource": "invoke",
"error": "ApiGateway.UnknownHostException",
"cause": "[API-G].execute-api.us-west-2.amazonaws.com: Name or service not known"
}
VPC already has 443 inbound rule added to its security group. Do we need to create VPC Private link between step function and VPC ?
The integration works fine for regional public APIs. But as soon as we convert these to private, the integration fails with above error.
Note that, I am still able to invoke the APIs from the API-G console and step function execution role has permissions to invoke the APIs.
As mentioned in the official documentation, the Step Functions integration with API Gateway does not support calling a private API.
Unsupported by the Step Functions API Gateway integration:
- Authorizers: Amazon Cognito, Native Open ID Connect / OAuth 2.0, Authorization header for token-based Lambda authorizers
- API types: Private
- API VPC management: Custom domain names
Despite these limitations, if calling a private API is a crucial requirement for you, there exists a more complex architectural solution.
You can facilitate the API Gateway call through a Lambda Function situated within the VPC: you should also configure a VPC endpoint within the VPC to enable integration with private API Gateway calls (but you have probably already configured it due to its default nature in a Private API Gateway integration).