I have setup the following workflow:
- private REST API with sources
/POST/event
and /POST/process
- a
VPCLink
to an NLB
(which points to an ALB
pointing to a microservice running on EKS
)
- a
VPC endpoint
with DNS name vpce-<id>-<id>.execute-api.eu-central-1.vpce.amazonaws.com
with Private DNS enabled
- an EventBridge
EventBus
with a rule that has two targets: 1 API Destination
for debugging/testing and 1 AWS Service
which points to my private REST Api on the source /POST/process
- all required
Resource Policies
and Roles
- all resources are defined within the same AWS Account
The designed worflow is as follows:
- invoke
POST/event
on the VPC endpoint (any other invocation is prohibited by the Resource Policy
) with an event
payload
- the API puts the
event
payload to the EventBus
- the
EventBusRule
is triggered and sends the event
payload to the POST/process
endpoint on the private REST API
- the
POST/process
endpoint proxies the payload to a microservice running on EKS (via VPCLink
> NLB
> ALB
> k8s Service
)
What does work so far:
- invoking
POST/event
on the VPC endpoint
- putting the
event
payload to the EventBus
- forwarding the
event
payload to the API Destination
set up for testing/debugging (it's a temporary endpoint on https://webhook.site)
- testing the
POST/event
and POST/process
integration in the AWS Console (the latter is verified by checking that the event
payload reaches the microservice on EKS successfully)
That is all single steps in the workflow seem to work, and all permissions seem to be set properly.
**Whad does not work **is invoking the POST/process
endpoint from the EventBusRule
, i.e. invoking POST/event
does not invoke POST/process
via the EventBus
, although the EventBusRule
was triggered.
So my question is: How to invoke a private REST API endpoint from an EventBusRule?
What I have already tried:
- change the order of the
EventBusRule targets
- create a Route 53 record pointing to the
VPC endpoint
and treat it as an (external) API Destination
- allow access from anywhere by anyone to the REST API (temporarily only, of course)
Remark on the design:
I create two endpoints (one for receiving an event
, one for processing it) with an EventBus in between because
- I have to expect a delay of several minutes between the
Event Creation/Notification
and the successful Event Processing
- I expect several hundred
event sources
, which are different AWS and Azure accounts
- I want to keep track of all events that reach our API and of their successful processing in one central EventBus and not inside each AWS account where the event stems from
- I want to keep track each failed event processing in the same central EventBus with only one central DeadLetterQueue
Hi @Uri, thank you for your response.
If your explanation is right (and I do not doubt it), then I wonder why the h**l AWS allows me to select a private REST API from the Drop-Down menu as a target when I select
AWS Service
as the target type???I used to rely on the preselection of available resources in the Drop-Downs, in the sense that it's impossible to create an incompatible configuration in the Amazon Console.
Good point. Seems like a bug. Will report it internally.
Thank you @Uri
:+1: