By using AWS re:Post, you agree to the Terms of Use
/How to invoke a private REST API (created with AWS Gateway) endpoint from an EventBusRule?/

How to invoke a private REST API (created with AWS Gateway) endpoint from an EventBusRule?


I have setup the following workflow:

  • private REST API with sources /POST/event and /POST/process
  • a VPCLink to an NLB (which points to an ALB pointing to a microservice running on EKS)
  • a VPC endpoint with DNS name vpce-<id>-<id> with Private DNS enabled
  • an EventBridge EventBus with a rule that has two targets: 1 API Destination for debugging/testing and 1 AWS Service which points to my private REST Api on the source /POST/process
  • all required Resource Policies and Roles
  • all resources are defined within the same AWS Account

The designed worflow is as follows:

  • invoke POST/event on the VPC endpoint (any other invocation is prohibited by the Resource Policy) with an event payload
  • the API puts the event payload to the EventBus
  • the EventBusRule is triggered and sends the event payload to the POST/process endpoint on the private REST API
  • the POST/process endpoint proxies the payload to a microservice running on EKS (via VPCLink > NLB > ALB> k8s Service)

What does work so far:

  • invoking POST/event on the VPC endpoint
  • putting the event payload to the EventBus
  • forwarding the event payload to the API Destination set up for testing/debugging (it's a temporary endpoint on
  • testing the POST/event and POST/process integration in the AWS Console (the latter is verified by checking that the event payload reaches the microservice on EKS successfully)

That is all single steps in the workflow seem to work, and all permissions seem to be set properly.

Whad does not work is invoking the POST/process endpoint from the EventBusRule, i.e. invoking POST/event does not invoke POST/process via the EventBus, although the EventBusRule was triggered.

So my question is: How to invoke a private REST API endpoint from an EventBusRule?

What I have already tried:

  • change the order of the EventBusRule targets
  • create a Route 53 record pointing to the VPC endpoint and treat it as an (external) API Destination
  • allow access from anywhere by anyone to the REST API (temporarily only, of course)

Remark on the design: I create two endpoints (one for receiving an event, one for processing it) with an EventBus in between because

  • I have to expect a delay of several minutes between the Event Creation/Notification and the successful Event Processing
  • I expect several hundred event sources, which are different AWS and Azure accounts
  • I want to keep track of all events that reach our API and of their successful processing in one central EventBus and not inside each AWS account where the event stems from
  • I want to keep track each failed event processing in the same central EventBus with only one central DeadLetterQueue
1 Answers
Accepted Answer

Private API Gateway endpoints can only be called from within the VPC they are configured in. EventBridge Targets can't point to private resources in a VPC. This means that you can't directly invoke your private API from EventBridge.

You can work around it by invoking a Lambda function instead. The function is attached to the VPC and it can make calls to the API.

answered 2 months ago
  • Hi @Uri, thank you for your response.

    If your explanation is right (and I do not doubt it), then I wonder why the h**l AWS allows me to select a private REST API from the Drop-Down menu as a target when I select AWS Service as the target type???

    I used to rely on the preselection of available resources in the Drop-Downs, in the sense that it's impossible to create an incompatible configuration in the Amazon Console.

  • Good point. Seems like a bug. Will report it internally.

  • Thank you @Uri


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions