How to invoke a private REST API (created with AWS Gateway) endpoint from an EventBusRule?

Question

I have setup the following workflow:
- private REST API with sources `/POST/event` and `/POST/process`
- a `VPCLink` to an `NLB` (which points to an `ALB` pointing to a microservice running on `EKS`)
- a `VPC endpoint` with DNS name `vpce--.execute-api.eu-central-1.vpce.amazonaws.com` with `Private DNS enabled`
- an EventBridge `EventBus` with a rule that has two targets: 1 `API Destination` for debugging/testing and 1 `AWS Service` which points to my private REST Api on the source `/POST/process`
- all required `Resource Policies` and `Roles`
- all resources are defined within the same AWS Account

The **designed** worflow is as follows:
- invoke `POST/event` on the VPC endpoint (any other invocation is prohibited by the `Resource Policy`) with an `event` payload
- the API puts the `event` payload to the `EventBus`
- the `EventBusRule` is triggered and sends the `event` payload to the `POST/process` endpoint on the private REST API
- the `POST/process` endpoint proxies the payload to a microservice running on EKS (via `VPCLink` > `NLB` > `ALB`> `k8s Service`)

**What does work** so far:
- invoking `POST/event` on the VPC endpoint
- putting the `event` payload to the `EventBus`
- forwarding the `event` payload to the `API Destination` set up for testing/debugging (it's a temporary endpoint on https://webhook.site)
- testing the `POST/event` and `POST/process` integration in the AWS Console (the latter is verified by checking that the `event` payload reaches the microservice on EKS successfully)

That is all single steps in the workflow seem to work, and all permissions seem to be set properly.

**Whad does not work **is invoking the `POST/process` endpoint from the `EventBusRule`, i.e. invoking `POST/event` does not invoke `POST/process` via the `EventBus`, _although_ the `EventBusRule` was triggered.

So my **question** is: **How to invoke a private REST API endpoint from an EventBusRule?**

**What I have already tried:**
- change the order of the `EventBusRule targets`
- create a Route 53 record pointing to the `VPC endpoint` and treat it as an (external) `API Destination`
- allow access from _anywhere_ by _anyone_ to the REST API (temporarily only, of course)

**Remark on the design:**
I create _two_ endpoints (one for receiving an `event`, one for processing it) with an EventBus in between because
- I have to expect a delay of several minutes between the `Event Creation/Notification` and the successful `Event Processing`
- I expect several hundred `event sources`, which are different AWS and Azure accounts
- I want to keep track of all events that _reach_ our API and of their successful _processing_ in one central EventBus and _not_ inside each AWS account where the event stems from
- I want to keep track each _failed_ event processing in the same central EventBus with only one central DeadLetterQueue

Accepted Answer

Private API Gateway endpoints can only be called from within the VPC they are configured in. EventBridge Targets can't point to private resources in a VPC. This means that you can't directly invoke your private API from EventBridge.

You can work around it by invoking a Lambda function instead. The function is attached to the VPC and it can make calls to the API.

How to invoke a private REST API (created with AWS Gateway) endpoint from an EventBusRule?

Relevant questions

Lambda (private subnet) <- ingress request< - gateway

Calling Private API from Lambda in VPC

Private Route 53 to API Gateway

VPC Interface Endpoints and API Gateway called from Lambdas

ApiGateway to control an EC2 instance with load balancer running a FastAPI

Accessing API Gateway both Public and Private endpoint

where does this vpc endpoint coming from

Build a REST API with API Gateway private integration: Tutorial

Amazon API Gateway Proxy - VPC Endpoint - NLB - Private DNS - Self-signed SSL

How to invoke a private REST API (created with AWS Gateway) endpoint from an EventBusRule?