Hey everyone! I'm not the most knowledgeable when it comes to AWS and VPC setups, so I might be a bit lost here—but I could really use your help! We're trying to call a third-party service through their API Gateway, which they've set up with a custom domain. In our AWS account, we've got a VPC with resources that can resolve and access this custom DNS name.
However, I've run into a problem when I try to set up both a VpcLink and a Vpc Interface Endpoint for API Gateway. I get the error:
> Hostname/IP does not match certificate's altnames: Host: .example.com is not in the cert's altnames: DNS:*.execute-api.eu-west-1.amazonaws.com, DNS:*.execute-api.eu-west-1.vpce.amazonaws.com.
If I only use one of them, it works fine, but having both seems to cause the issue.
I wonder if the traffic was originally going outside AWS and now it's being routed internally due to these configurations. Also, I can't see the third party's setup, but they created a CNAME for their domain. Shouldn't it have been an Alias record instead? When I check with mxtoolbox.com, it shows a CNAME pointing to d-********.execute-api.eu-west-1.amazonaws.com.
Any thoughts on how we can resolve this issue? I'd love to fix this on our end since contacting the third party for changes has been tough! Thanks a bunch!
1 Answer
It sounds like you're dealing with some common VPC configuration quirks. Just a heads up, you actually can't use a VPC endpoint for a public API Gateway; they're meant for private APIs only. If you're trying to access a public endpoint, sticking with a direct internet connection is usually the way to go. What are you using the VpcLink for, if not for this third-party service? That might clarify some options for you.
Thanks for the clarification! The VpcLink is there so our public APIs can connect with resources inside the VPC itself. The endpoint is meant for our private APIs. But it looks like, for this third-party API, we're stuck using a public connection, right?