Cannot proxify an AWS API Gateway endpoint

Not applicable

I try to create an apigee proxy to an AWS API Gateway endpoint and I alway receive a 503 response :

error The Service is temporarily unavailable
type ErrorPoint
state TARGET_REQ_FLOW
error.class com.apigee.errors.http.server.ServiceUnavailableException
error.cause Received fatal alert: handshake_failure
Identifier fault
<HTTPTargetConnection>
    <URL>https://XXXXXXXX.execute-api.eu-west-1.amazonaws.com</URL>
    <SSLInfo>
        <Enabled>true</Enabled>
        <ClientAuthEnabled>false</ClientAuthEnabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <TrustStore>myTruststore</TrustStore>
        <!--
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
        </Protocols>
        -->
    </SSLInfo>
</HTTPTargetConnection>

Of course I can successfully curl the AWS API Gateway endpoint in a terminal. Why apigee can't ?

Any help ?

Thanks.

Solved Solved
2 10 1,078
1 ACCEPTED SOLUTION

I suspect the problem is SNI.

Not all Apigee Edge organizations are set up to perform SNI outbound correctly.

Your AWS endpoint uses SNI, but Apigee Edge isn't doing the right thing.

What kind of organization is it? Paid or Trial?

If Trial, can you please set up a new trial organization (with a new email) and try it THERE ?

If Paid, you will need to contact Apigee Support.

View solution in original post

10 REPLIES 10

I suspect the problem is SNI.

Not all Apigee Edge organizations are set up to perform SNI outbound correctly.

Your AWS endpoint uses SNI, but Apigee Edge isn't doing the right thing.

What kind of organization is it? Paid or Trial?

If Trial, can you please set up a new trial organization (with a new email) and try it THERE ?

If Paid, you will need to contact Apigee Support.

Thanks for your response. It's a paid one. I will contact Apigee support.

but why are you using Apigee Edge to act as a proxy in front of another API Gateway?

API Gateway is a temporary solution we use until we migrate our services on a new platform.

Not applicable

Yann - Have you resolved this issue? I could see that APIGEE doesn't support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher. In successful curl to Amazon API gateway, SSL connection is using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256. I have tried to connect using both trial and paid version but getting same error.

@Rahul

No I have not. Apigee does not support SNI. But it seems that support can activate this feature...

Did you decide to not ask Apigee Support to activate this for you? If so, why?

Seems like I'm having the same issue. Everything was working when on "trial" plan but now I get "Received fatal alert: handshake_failure"

Can you please ask your question in a new question rather than asking in a comment to a question that is 4 months old? also, have you checked the accepted answer here? It suggests that you contact Apigee Support. Have you done that?

5010-ask-a-question.png

I already contacted the support. Mine was not a question. I just wanted to tell all people having this same issue that this problem is still present for "Paid organization"