13

I am struggling to understand how AWS API Gateway Custom Domain works.

I have set up a Regional Custom Domain Name for my api, like api.example.com. The result is a Target Domain Name in the form of:

aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com

If I try to invoke the API using this link, such as in:

https://aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com/mymap/mystage/example

But I get a 403 Forbidden.

BUT, if I go to Stages and select mystage there's a big blue Invoke URL in the form of:

https://bbbbbbbbbb.execute-api.us-east-1.amazonaws.com/mymap/mystage/example

Which works!

So here come my first 2 questions:

1 - Why does API Gateway generate 2 different URLs for the same API (the Target Domain Name and the Invoke URL)?

2 - Why does the Invoke URL works and the Target Domain Name doesn't?

Here's the second part of my question, I am trying to configure Route 53 for the Regional Custom Domain Name configuration, but I can't find any examples about the right way to do it (just for Edge Optimized Custom Domain Name).

I tried to create an A record for api.example.com as an Alias to aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com, but it says:

The record set could not be saved because: - Alias Target contains an invalid value.

So I created a CNAME record for api.example.com, setting Alias to No (setting as a Yes brings the same error message as in the A record case) and the value as aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com but then I get a 404 when I try to invoke my API as https://api.example.com/mymap/mystage/example.

What am I doing wrong?

EDIT:

This thread was moved to the AWS Forums here

EDIT 2:

Apparently, as the AWS support guys said, there is an inconsistency on how API Gateway treats Custom Domain Names and regular API Gateway URLs, all is documented at this AWS Forum thread here

Michel Feinstein
  • 13,416
  • 16
  • 91
  • 173

2 Answers2

5

If anyone wants to understand what was going on with API Gateway, take a look at this thread.

It basically says that API Gateway processes regular URLs (like aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com) differently than how it processes Custom Domain Name URLs (like api.myservice.com). So when API Gateway forwards your API request to your Lambda Function, your Lambda Function will receive different path values, depending on which type of your URL you used to invoke your API.

In my case I am using the serverless java container, so I can run a Jersey webservice on AWS Lambda. Since the URL is not being passed the same for both URLs, Jersey will return a 404 when it receives an URL that is malformed for its configuration.

The AWS API Gateway team said their are thinking about making this URL invocation uniform, but no compromises on it so far (January 2018).

The Route 53 part of my question is answered by Jack and I have nothing to add.

Michel Feinstein
  • 13,416
  • 16
  • 91
  • 173
  • 1
    I read through that entire thread... geez, that was like a 3-month ordeal. I was having the same exact issue and this helped save me from going down a rabbit hole for a day or two. – Yu Chen Dec 27 '18 at 02:52
  • 1
    Yes, it was exhausting and I felt kinda helpless, I was pulling my hairs out, that's why I wanted to post it, so someone else wouldn't be as lost as I was, since AWS wasn't making much of an effort to help me. I am glad you could work it out. If you are using the serverless Java container, be sure to check the docs, where it shows how to deal with extracting base path strings https://github.com/awslabs/aws-serverless-java-container/wiki – Michel Feinstein Dec 27 '18 at 04:48
  • Seems the thread is dead :( – nickswiss May 16 '23 at 18:16
4

The Route53 console doesn't support API Gateway as an ALIAS target yet. You'll have to make the ALIAS record using a CLI/SDK (or the hit the R53 API directly) and provide the target hosted zone listed on this page: http://docs.aws.amazon.com/general/latest/gr/rande.html#apigateway_region

Why does API Gateway generate 2 different URLs for the same API (the Target Domain Name and the Invoke URL)?

The Invoke URL is the default endpoint that is always available with a valid SSL certificate. This endpoint is managed by API Gateway. The target domain name is optional (you have to set up the custom domain name), and the DNS and SSL certificate are managed by you/customer.

Thanks, Jack

jackko
  • 6,998
  • 26
  • 38
  • 1
    OMG! Thank you so much for being here! No one answered me on the forums. This was driving me crazy... I will try the CLI then. – Michel Feinstein Dec 18 '17 at 19:51
  • There's one thing I don't understand then... The documentations says I should create a CNAME on my DNS provider, mapping my API custom name to the Target Domain Name. I did on R53 and it doesn't work... But for what you said and for what the docs say, it would work for an external DNS service.... Why? What's the difference? Isn't R53 a DNS service after all? – Michel Feinstein Dec 18 '17 at 19:53
  • Two more things I would like to add: 1 - Please update the docs to make this limitation more explicit. 2 - Edge Optimized custom domain name creates a cloudfront formation, which R53 accepts as an Alias, I still get a 404, but shouldn't it work with R53? – Michel Feinstein Dec 18 '17 at 20:07
  • I was able to create the A record with the Alias using the CLI, but I am still receiving a 404. – Michel Feinstein Dec 19 '17 at 00:33
  • Jack, could you please answer my forum question? It's still not working – Michel Feinstein Dec 20 '17 at 22:18
  • The base path mapping replaces the stage, so `https://api.example.com/mymap/mystage/example` won't work. Try `https://api.example.com/mymap/example` – jackko Dec 21 '17 at 19:59
  • I selected the option to have the stage mapped in the path. I tested it anyways and I got a 403 forbbiden, which means it doesn't exist. – Michel Feinstein Dec 21 '17 at 21:16
  • Can I give you any kind of private information and you can check what's wrong from your inside access? – Michel Feinstein Dec 21 '17 at 21:17
  • For the sake of completeness, I tried all the possible combinations of with and without base path mapping, stage and path. All I get is 403 forbbiden or 404 (only of the full path). – Michel Feinstein Dec 22 '17 at 03:24
  • Jack, I still have this problem, what information would you need to help me out with this? I believe it should be simple for you, but I am lost, no one answers on my AWS Forums tread at https://forums.aws.amazon.com/thread.jspa?messageID=822648󈵸 – Michel Feinstein Jan 05 '18 at 04:18
  • Jack, could you please take a look at it? – Michel Feinstein Jan 09 '18 at 05:50
  • @mFeinstein Were you able to get this going? I struggled a bit as well but I think I got it. Let me know. – Guven Jan 26 '18 at 15:16
  • @mFeinstein same as @Guven, I managed to make it work by adding the `stage` in the *Destination* section of the *Base Path Mappings* of the custom Domains. Please let me know if we can help as thanks to your question I managed to solve it. – josemrivera Jan 26 '18 at 16:43
  • I still have this problem, let me double check what you said @JRivera – Michel Feinstein Jan 26 '18 at 16:52
  • Wait, if you had to place the stage on the destination, so you can't have the stage on the URL, like "api.myservice/v1", which is one of my goals, as much as /test /dev etc. This is horrible :/ – Michel Feinstein Jan 26 '18 at 17:04
  • @Guven I would really appreciate the help! – Michel Feinstein Jan 26 '18 at 19:15
  • @JRivera I just look at my configuration, I have the `Base Path Mappings` as : `Path`: `mywebservice` ; `Destination`: `MyLambdaFunction` ; `Stage`: [Blank - Define in Path]. As I understand the `Stage` will be defined by the user of the webservice, so he can select `https://api.mywebservice.com/v1/hello` and get to the `v1` stage, same goes for `v2` stage....is this wrong? – Michel Feinstein Jan 26 '18 at 19:17
  • I got a response from one of the support agents from AWS, but his answer didn't make much sense to me, any of you guys could see what I replied to him here: https://forums.aws.amazon.com/thread.jspa?messageID=820099󈎃 and what am I doing wrong? Thanks! – Michel Feinstein Jan 26 '18 at 21:09