New pattern submission - Invoke Private API Custom Domain from Eventbridge Schedule

[sahilk225579]

To submit a template to the Serverless Patterns Collection, submit an issue with the following information.

IMPORTANT
Patterns are intended to be primarily IaC-focused implementations of 2-4 AWS services, with minimum custom code. They should be commonly used combinations that help developers get started quickly. If you have a utility, demo, or application, submit these to the Serverless Repos Collection instead.

ONLY SUBMIT ONE PATTERN CHANGE PER PR. Multiple patterns or files spanning multiple pattern directories will be automatically rejected.

Patterns may take up to 4-6 weeks to review, test, and merge but there is no SLA and can take significantly longer due to other work the team has.

To learn more about submitting a pattern, read the publishing guidelines page.

1. Use the model template located at https://github.com/aws-samples/serverless-patterns/tree/main/_pattern-model to set up a README, template and any associated code.

2. THIS PROCESS HAS BEEN SIMPLIFIED. All the information below must be provided in the "example-pattern.json" file cloned from the model **

Note the following information for the model:

Architecture
__

• Description (intro.text) should be a 300-500 word explanation of how the pattern works.

This serverless pattern demonstrates how to securely invoke a private API with a custom domain from Amazon EventBridge Schedule. In this architecture, an EventBridge Schedule triggers a EventBridge API destination where we configure the Invocation url and Connection Arn of EventBridge Connection.

Using EventBridge connection we can now create connections to private APIs, to access resources in VPCs. This setup ensures that the API remains inaccessible from the public internet while still allowing scheduled, automated interactions.

The solution leverages AWS Serverless Application Model (SAM) to streamline deployment and configuration of these resources, making it easy to implement this secure, scalable solution.

• Resources should like to AWS documentation and AWS blogs related to the post (1-5 maximum).

Whats new AWS Blog - https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-eventbridge-step-functions-integration-private-apis/
Securely share AWS resources across VPC and account boundaries with PrivateLink, VPC Lattice, EventBridge, and Step Functions - https://aws.amazon.com/blogs/aws/securely-share-aws-resources-across-vpc-and-account-boundaries-with-privatelink-vpc-lattice-eventbridge-and-step-functions/
Custom domain names for private APIs in API Gateway - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains.html
Amazon VPC Lattice - https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html

• Author bio may include a LinkedIn and/or Twitter reference and a 1-sentence bio.

Name: Sahil Kapoor
Photo URL: https://media.licdn.com/dms/image/v2/D5603AQHTVptga3RxcA/profile-displayphoto-shrink_800_800/B56ZO3ZfseHoAc-/0/1733948735068?e=1739404800&v=beta&t=FX6MFZ2JFH17KQc89u4gY6tQXGoMJLiLkB2qT3MtV2g
Twitter handle: n/a
Linkdin : https://www.linkedin.com/in/sahil-kapoor-503391a7/
Description (up to 255 chars): I am a Cloud Support Engineer at AWS

You must ensure that the sections of the model README.md are completed in full.

GitHub PR for template:

#2556

[shazhumao]

This pattern is not working and we confirmed with aws support team.
EventBridge API destinations currently only support public domain names with publicly trusted certificates for HTTPS endpoints when using private APIs. API destinations do not support mutual TLS (mTLS).
@sahilk225579

[sahilk225579]

Hi @shazhumao , AWS recently has introduced the support for Private integration using EventBridge API destinations. Please refer this launch blog - https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-eventbridge-step-functions-integration-private-apis/

This repo & issue is for invoking private api's from eventbridge without mTLS.

[shazhumao]

@sahilk225579 Yes, we have already used private API integration using EventBridge API destinations. We confirmed with aws support team this solution is not working for custom domain name by just aws endpoint url for private api. Check the notes https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-api-destinations.html They only support public domain names with publicly trusted certificates, but the aws private API does not support public domain name checking here https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains.html
"You can't map a public API to a private custom domain name, and you can't map a private API to a public custom domain name."

[sahilk225579]

@shazhumao , agreed. For this solution i have already mentioned this step in the Readme - Point 6 which is small workaround required for this setup.

Important Note : Once the stack is deployed, Create a 'A' record in your Public Route53 hosted zone for the 'Domainname' with below target:

a) Target type - alias
b) Choose endpoint - Alias to VPC Endpoint
c) Choose region - select your AWS region
d) Choose Endpoint - select the VPC Endpoint which is attached to your Private REST API. Eg: vpce-1123444556666-avx567.execute-api..vpce.amazonaws.com

Detailed blog - in this detailed blog setup while creating a route53 record It is also mentioned as well "I am using a public hosted zone in this example. We already working on support for private hosted zones."