We are deploying a new BYOC environment for a financial services client and hitting a wall during the edge registration phase. The edge service is running on AWS ECS behind a PrivateLink endpoint, and we are seeing persistent 403 Forbidden responses when the edge attempts to handshake with the Genesys Cloud control plane.
Environment details:
- Edge Version: 8.1.2.104
- Host: AWS ECS Fargate (Private Subnet)
- Network: VPC with PrivateLink to Genesys Cloud
- Certificates: Valid, trusted by Genesys, correct CN/SANs
The logs show the initial TCP connection succeeds, TLS handshake completes, but then the HTTP POST to /api/v2/edges/registration returns a 403. The error payload is generic: {"code": "forbidden", "message": "Access denied"}.
We have verified that the edgeId and orgId match the credentials provided in the AppFoundry console. We also confirmed that the IAM role attached to the ECS task has permissions for ec2:CreateVpcEndpoint and ec2:DescribeVpcEndpoints.
Has anyone encountered this specific 403 during the registration phase on PrivateLink? We suspect it might be related to the source IP validation or a missing header in the registration request, but the documentation is sparse on the exact requirements for the registration payload beyond the cert and edge ID.
Any insights into what triggers a 403 at this stage would be appreciated. We are blocked on go-live.