DEV Community

Cover image for Private API Gateway as EventBridge API Destination
Benoît Bouré for AWS Community Builders

Posted on • Originally published at


Private API Gateway as EventBridge API Destination

In a previous post, I explained how to connect AWS Step Functions to a private API Gateway endpoint thanks to the new integration with AWS PrivateLink and Amazon VPC Lattice. In this issue, I’ll show you how to use the same integration to use a private API Gateway API as an EventBridge target using the CDK, removing the need for an intermediary Lambda function.


EventBridge Private API Gateway Integration


The setup is similar to the one for Step Functions. A Resource Gateway is used as the entry point into the VPC. It is associated with a Resource Configuration, which defines the Private API Gateway resource, and the EventBridge Connection is configured to use the Resource Config as the final destination.

For more details about this setup, see my previous post about the Step Functions Integration.

CDK Stack Definition

We need to define the Resource Gateway and the Resource Definition.

    // Security Group for the Resource Gateway
    const rgSecurityGroup = new SecurityGroup(this, 'ResourceGatewaySG', {
      vpc: vpc,
      allowAllOutbound: false,

      'Allow HTTPS traffic from Resource Gateway',

    // Resource Gateway
    const resourceGateway = new CfnResourceGateway(this, 'ResourceGateway', {
      name: 'private-api-access',
      ipAddressType: 'IPV4',
      vpcIdentifier: vpc.vpcId,
      subnetIds: => subnet.subnetId),
      securityGroupIds: [rgSecurityGroup.securityGroupId],

    // Resource Configuration
    const resourceConfig = new CfnResourceConfiguration(
        name: 'sf-private-api',
        portRanges: ['443'],
        resourceGatewayId: resourceGateway.ref,
        resourceConfigurationType: 'SINGLE',

    // Use the global DNS name of the API gateway's VPC endpoint
    // in the Resource Configuration
          Fn.split(':',, api.vpcEndpoint.vpcEndpointDnsEntries)),
        IpAddressType: 'IPV4',

    // Event Bus
    const eventBus = new EventBus(this, 'EventBus', {});

    // Connection to the API
    const connection = new Connection(this, 'ApiConnection', {
      authorization: Authorization.apiKey(

    // Setup the Connection with the Resouce Config
    (connection.node.children[0] as CfnConnection).addPropertyOverride(
        ResourceParameters: {
          ResourceConfigurationArn: resourceConfig.attrArn,
Enter fullscreen mode Exit fullscreen mode

EventBridge is now able to connect to the private API Gateway. We can now create a rule and set the API as the target.

    const rule = new Rule(this, 'RequestAccountRule', {
      eventPattern: {
        source: ['my-source'],

    const apiDestination = new ApiDestination(this, 'ApiDestination', {
      endpoint: `${api.api.url}/hello`,
      httpMethod: HttpMethod.POST,
      connection: connection,

      new targets.ApiDestination(apiDestination, {
        event: RuleTargetInput.fromEventPath('$.detail'),
Enter fullscreen mode Exit fullscreen mode

Find the full code on GitHub.

Testing the Integration

Putting the following event on the bus.

  "DetailType": "somethingHappened",
  "Source": "my-source",
  "Detail": {
    "foo": "bar"
Enter fullscreen mode Exit fullscreen mode

I can see that the Lambda function used as the handler of the endpoint is invoked with the following event.

    "resource": "/hello",
    "path": "/hello",
    "httpMethod": "POST",
    "headers": {
        "Accept-Encoding": "gzip, x-gzip, deflate, br",
        "Content-Type": "application/json; charset=utf-8",
        "Host": "",
        "Range": "bytes=0-1048575",
        "User-Agent": "Amazon/EventBridge/ApiDestinations",
        "x-amzn-cipher-suite": "ECDHE-RSA-AES128-GCM-SHA256",
        "x-amzn-tls-version": "TLSv1.2",
        "x-amzn-vpc-id": "vpc-0a1db1c1701e137ca",
        "x-amzn-vpce-config": "1",
        "x-amzn-vpce-id": "vpce-09fc3c0c5173d919b",
        "x-api-key": "demo",
        "X-Forwarded-For": ""
    "multiValueHeaders": {
        "Accept-Encoding": [
            "gzip, x-gzip, deflate, br"
        "Content-Type": [
            "application/json; charset=utf-8"
        "Host": [
        "Range": [
        "User-Agent": [
        "x-amzn-cipher-suite": [
        "x-amzn-tls-version": [
        "x-amzn-vpc-id": [
        "x-amzn-vpce-config": [
        "x-amzn-vpce-id": [
        "x-api-key": [
        "X-Forwarded-For": [
    "queryStringParameters": null,
    "multiValueQueryStringParameters": null,
    "pathParameters": null,
    "stageVariables": null,
    "requestContext": {
        "resourceId": "yjzggg",
        "resourcePath": "/hello",
        "httpMethod": "POST",
        "extendedRequestId": "Efl1aFY5oAMFoYA=",
        "requestTime": "16/Jan/2025:18:29:54 +0000",
        "path": "/prod/hello",
        "accountId": "438465158289",
        "protocol": "HTTP/1.1",
        "stage": "prod",
        "domainPrefix": "899aggxh3a",
        "requestTimeEpoch": 1737052194204,
        "requestId": "3a6754ae-5488-429c-9ec6-1837a4c21727",
        "identity": {
            "cognitoIdentityPoolId": null,
            "cognitoIdentityId": null,
            "vpceId": "vpce-09fc3c0c5173d919b",
            "apiKey": "demo",
            "principalOrgId": null,
            "cognitoAuthenticationType": null,
            "userArn": null,
            "userAgent": "Amazon/EventBridge/ApiDestinations",
            "accountId": null,
            "caller": null,
            "sourceIp": "",
            "accessKey": null,
            "vpcId": "vpc-0a1db1c1701e137ca",
            "cognitoAuthenticationProvider": null,
            "user": null
        "domainName": "",
        "deploymentId": "74v610",
        "apiId": "899aggxh3a"
    "body": "{\"foo\":\"bar\"}",
    "isBase64Encoded": false
Enter fullscreen mode Exit fullscreen mode


The new VPC Lattice and AWS Private Link integration allows developers to invoke Private APIs directly without needing a Lambda function. This reduces code, maintenance, and latency.

Top comments (1)

drjoanneskiles profile image
Joanne Skiles

This is a great guide on using a private API Gateway as an EventBridge API destination! I really appreciate how you broke down the steps and touched on the security side of things. Super helpful for anyone building event-driven setups!

QQ: Have you tested this with a high volume of events? I’m wondering if you ran into any throttling issues or had to tweak anything for performance.

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post