CODEWITHSUNDEEP
dnsaws-lambdacname
Owen Kirkeby
Owen Kirkeby

Reputation: 135

Using CNAME DNS Entry to call AWS Lambda Function

I currently have a lambda function deployed on AWS. The URL for the Lambda is https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/stage_name_here.

I created a CNAME entry in my DNS which points my.custom.name.com to the base of the Lambda: https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/. I DO NOT OWN THE DOMAIN name.com. This is purely a CNAME reference which my DNS will resolve to the lambda base. If I run nslookup on my.custom.name.com, it does resolve properly and points to https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/

I can properly use the lambda through Postman when calling https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/stage_name_here, however if I try to use any variation of my.custom.name.com/stage_name_here, it returns with 

{
  'message': 'forbidden'
}

My understanding is that when I attempt to use that CNAME to make a request, it first goes to my DNS. My DNS resolves that CNAME to the lambda base address. My understanding is that AWS would have no knowledge of my.custom.name.com as my DNS only uses that to know where to send a request.

An analogy for my understanding would be that I'm trying to send a letter to an address: address1. Instead of writing address1 on the letter, I write address2. When the mailman gets my letter, he asks his boss where address2 is, and his boss tells him address2 = address1. Then he delivers the letter to address1.

In that analogy, address2 does not need to actually exists for this transaction to occurr. Unless I misunderstand, AWS API Gateway REQUIRES that address2 exists because the letters first goes to address2 and THEN goes to address1.

What seems to be happening is that AWS somehow knows that address2 was part of the equation because it denies the request when address2 is used instead of address1.

What is the difference in this scenario, and how can I set up the DNS CNAME and AWS to get scenario 1 to happen?

Upvotes: 3

Views: 4175

Answers (1)

Arun Kamalanathan
Arun Kamalanathan

Reputation: 8593

AWS API gateway console has a built in mechanism called custom domains. It is exactly what you need. you need to set that up as @LostJon pointed out.

Basic Steps are:

  1. create an SSL certificate using Amazon ACM
  2. Create a custom domain from API gateway console such as api.example.com, During this step, select the SSL certificate for your domain obtained via Step 1
  3. create a basepath to point the basepath to your API. for e.g base path /payment is pointing to your api, which makes it accessible via https://api.example.com/payment this process will also give you a cloudfront distribution address for e.g [email protected]`
  4. Goto Route53 (or your domain register) and create an A record to point the subdomain api.example.com to the cloudfront distribution address e.g [email protected]`

reference: https://hackernoon.com/how-to-setup-subdomain-for-aws-api-gateway-d526a9fd6722

Upvotes: 2

Related Questions