# Connecting to private APIs in EventBridge
You can create connections to private HTTPS endpoints, to provide secure point-to-point network access to resources in VPCs or on-premises without having to traverse the public internet. For example, you can create a connection to access an HTTPS-based application behind an Amazon Elastic Load Balancer.
EventBridge creates connections to private HTTPS endpoints by utilizing *resource configurations* created in VPC Lattice. A resource configuration is a logical object that identifies the resource and specifies how and who can access it. To create a connection to a private API in EventBridge, you specify the resource configuration for the private API. For more information, see [ Resource configuration in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html) in the *Amazon VPC Lattice User Guide*.
EventBridge then creates a *resource association* that enables EventBridge to access the private API. For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*.
While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association operation.
![\[EventBridge and Step Functions use connections as authorization configurations for HTTPS endpoints.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/connections-private-destination_eventbridge_conceptual.svg)
You can create connections that access private APIs in other AWS accounts. For more information, see [Cross-account private APIs](connection-private-cross-region.md).
# Connecting to private APIs in other AWS accounts
EventBridge supports connections to private APIs across accounts in the same Region.
For you to create a connection to a private API in another AWS account, the owner of that account must first share a VPC Lattice resource configuration for that private API with you. To do this, they share the resource with you in AWS Resource Access Manager. AWS RAM enables secure sharing of resources across AWS accounts, within organizational units (OUs), and integrates with AWS Identity and Access Management roles and users. Once you've accepted the resource share in AWS RAM you can specify the shared VPC Lattice resource configuration when creating a connection.
For more information on AWS RAM, see the following topics in the *AWS Resource Access Manager User Guide*:
+ [Benefits of AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-features)
+ [How resource sharing works](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html#what-is-how)
+ [Access AWS resources shared with you](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html)
EventBridge does not support connections to private APIs across Regions. However, to target a private API in a different Region from your event bus:, you can:
1. Define an event bus rule that targets a second event bus that does reside in the same Region as the desired private API.
1. Create a connection for the second event bus to target the private API.
For more information, see [Sending and receiving events between AWS Regions in Amazon EventBridge](eb-cross-region.md).
## Permissions for connecting to private APIs
The following policy example includes the minimal necessary permissions for creating a connection to a private API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"vpc-lattice:CreateServiceNetworkResourceAssociation",
"vpc-lattice:GetResourceConfiguration",
"vpc-lattice:AssociateViaAWSService-EventsAndStates",
"events:CreateConnection"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
The following policy example includes the minimal necessary permissions for updating a connection to a private API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"vpc-lattice:CreateServiceNetworkResourceAssociation",
"vpc-lattice:GetResourceConfiguration",
"vpc-lattice:AssociateViaAWSService-EventsAndStates",
"events:UpdateConnection"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
## Monitoring creation of connections to private APIs
When you create a connection to a private API, the following logs are generated:
In the account in which the connection was created, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociation` event.
In this log, `sourceIPAddress`, `userAgent`, and `serviceNetworkIdentifier` are set to the EventBridge service principal, `events.amazonaws.com`.
```
{
"eventTime": "2024-11-21T00:00:00Z",
"eventSource": "vpc-lattice.amazonaws.com",
"eventName": "CreateServiceNetworkResourceAssociation",
"awsRegion": "region",
"sourceIPAddress": "events.amazonaws.com",
"userAgent": "events.amazonaws.com",
"requestParameters": {
"x-amzn-vpc-lattice-association-source-arn": "***",
"x-amzn-vpc-lattice-service-network-identifier": "***",
"clientToken": "token",
"serviceNetworkIdentifier": "events.amazonaws.com",
"resourceConfigurationIdentifier": "arn:partition:vpc-lattice:region:account-id:resourceconfiguration/resource-configuration-id",
"tags": {
"ManagedByServiceAWSEventBridge": "account-id:connection-name"
}
}
```
In the account which contains the private API , AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event.
This log includes:
+ `callerAccountId`: The AWS account in which the connection was created
+ `accountId`: The AWS account that contains the private API.
+ `resource-configuration-arn`: The VPC Lattice resource configuration for the private API.
```
{
"eventTime": "2024-11-21T06:31:42Z",
"eventSource": "vpc-lattice.amazonaws.com",
"eventName": "CreateServiceNetworkResourceAssociationBySharee",
"awsRegion": "region",
"sourceIPAddress": "vpc-lattice.amazonaws.com",
"userAgent": "user-agent",
"additionalEventData": {
"callerAccountId": "consumer-account-id"
},
"resources": [
{
"accountId": "provider-account-id",
"type": "AWS::VpcLattice::ServiceNetworkResourceAssociation",
"ARN": "resource-configuration-arn"
}
]
}
```
In the case of cross-account connections to private APIs, the account containing the connection will not receive AWS CloudTrail or VPC Lattice logs for the invocation of the private API.
## Managing service network resource associations for connections
When you specify the VPC Lattice resource configuration for the private API to which you want to connect, EventBridge enables the connection by creating a resource association between the VPC Lattice resource configuration and a VPC Lattice service network owned by the EventBridge service. While EventBridge manages the resource association, it creates the association using your credentials, so you retain visibility into the resource association. This means you can list and describe the resource associations.
Use [describe-connection](https://docs.aws.amazon.com/cli/latest/reference/events/describe-connection.html) to return a connection description that includes the Amazon Resource Names (ARNs) of the resource configuration and resource association.
You cannot delete resource associations created by EventBridge. If you delete a connection, EventBridge deletes any corresponding resource associations.
For more information, see [ Manage resource associations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html#service-network-resource-config-associations) in the *Amazon VPC Lattice User Guide*.
## Connecting to on-premise private APIs
Using access to VPC resources through AWS PrivateLink and VPC Lattice, you can connect to on-premise private APIs. To do so, you must configure a network route between your VPC and your on-premise environment. For example, you can use [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) or [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) to establish such a route.
# Provider considerations for cross-account connections in EventBridge
To create a connection to a private API in another AWS account, the owner of that account must share a VPC Lattice resource configuration for the private API with you. A resource configuration is a logical object that identifies the API and specifies how and who can access it. The *provider* account--that is, the account sharing the VPC Lattice resource configuration for the private API with another account--shares the VPC Lattice resource configuration using AWS RAM.
If your account is the provider of a VPC Lattice resource configuration, keep the following considerations in mind:
## Resource policy for resource configurations for cross-account private APIs
By default, creating a AWS RAM resource share includes the necessary share policy, `AWSRAMPermissionVpcLatticeResourceConfiguration`. If you create a customer managed permission policy, you must include the necessary permissions.
The following policy example provides the minimum necessary permissions for EventBridge to create the resource association necessary for a connection to a private API.
+ `vpc-lattice:GetResourceConfiguration` allows EventBridge to retrieve the Amazon VPC Lattice resource configuration you specify.
+ `vpc-lattice:CreateServiceNetworkResourceAssociation` allows EventBridge to create the resource association from the VPC Lattice resource configuration you specify.
+ `vpc-lattice:AssociateViaAWSService-EventsAndStates` allows EventBridge to create a resource association to a VPC Lattice service network owned by the service.
```
{
"Effect": "Allow",
"Action": [
"vpc-lattice:CreateServiceNetworkResourceAssociation",
"vpc-lattice:GetResourceConfiguration",
"vpc-lattice:AssociateViaAWSService-EventsAndStates"
]
}
```
For more information, see [Managing permissions in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/security-ram-permissions.html) in the *AWS Resource Access Manager User Guide*.
## Provider monitoring of connection creation
When another account creates an EventBridge connection using a VPC Lattice resource configuration you have shared, AWS CloudTrail logs a `CreateServiceNetworkResourceAssociationBySharee` event. For more information, see [Monitoring connection creation](connection-private.md#connection-private-monitoring-create).
## Configuring security groups for access to private APIs
With VPC Lattice, you can create and assign security groups to enforce additional network-level security protections for your target API and resource gateway. In order for EventBridge and Step Functions to access your private API successfully, the security groups on the target API and resource gateway must to be configured correctly. If not configured correctly, the services will return "Connection Timed Out" errors when attempting to call your API.
For your target API, your security group must be configured to allow all inbound TCP traffic on port 443 from the security group for your resource gateway.
For your resource gateway, your security group must be configured to allow the following:
+ All inbound IPv6 TCP traffic across all ports from the ::/0 IPv6 CIDR range.
+ All inbound IPv4 TCP traffic across all ports from the 0.0.0.0/0 IPv6 CIDR range.
+ All outbound TCP traffic on port 443 to the security group used by your target resource, for the IP protocol your target API accepts (IPv4 or IPv6).
For more information, see the following topics in the *Amazon VPC Lattice User Guide*:
+ [Control traffic in VPC Lattice using security groups](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html)
+ [Resource gateway in VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateway.html)
# Creating connections to private APIs
The following steps walk you through how to create a connection to a private API. For detailed instructions that include all configuration options for connections, including creating connections to public APIs, see [Creating connections](eb-target-connection-create.md).
## Define the connection
The following steps walk you through how to create a connection to a private API endpoint. For instructions on creating connections to public APIs, see [Creating connections](eb-target-connection-create.md).
1. Open the [EventBridge console](https://console.aws.amazon.com/events).
1. In the left navigation pane, under **Integration**, choose **Connections**.
1. Choose **Create connection**.
1. On the **Create connection** page, enter a **Connection name** and **Description**.
## Configure the invocation endpoint
Next, use the **Configure invocation** section to specify the HTTPS endpoint you want the connection to invoke.
1. For **API type**, choose **Private**.
1. Specify the Amazon VPC Lattice resource configuration to use to connect to it.
Under **Private API**:
+ To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
+ To create a new VPC Lattice resource configuration, choose **New resource configuration**.
You are taken to the Amazon VPC Lattice; service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.
## Configure the endpoint authorization
Lastly, specify the authorization settings to use to access the endpoint.
EventBridge supports basic, OAuth client credentials, and API key authentication methods.
1. Under **Configure authorization**, choose **Custom configuration**.
1. For **Authorization type**, select the authorization method for the connection to use.
1. Specify the authorization configuration details for the authorization method you chose:
+ **Basic**
Enter the **Username** and **Password** to use to authorize with the HTTPS endpoint.
+ **OAuth Client Credentials**
1. For **OAuth authorization endpoint**, choose whether the endpoint to use for connection authorization is a public or private (VPC) endpoint.
If you choose **Private**, specify the **Private OAuth endpoint resource configuration**:
+ To use an existing VPC Lattice resource configuration, choose a resource configuration from the drop-down menu.
+ To create a new VPC Lattice resource configuration, choose **New resource configuration**.
You are taken to the Amazon VPC Lattice service console, where you can create a new configuration. for more information, see [Create a resource configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/create-resource-configuration.html) in the *Amazon VPC Lattice User Guide*.
1. Specify the following authorization information:
+ Authorization endpoint
+ HTTPS method
+ Client ID
+ Client secret
1. Under **OAuth HTTP parameters**, add any additional parameters to include for authorization with the authorization endpoint.
To do so:
+ Select a **Parameter** from the drop-down list.
+ Enter a **Key** and **Value**.
To include an additional parameter, choose **Add parameter**.
+ **API Key**
Enter the **API key name** and associated **Value** to use for API Key authorization.
1. Under **Invocation Http Parameters**, add any additional parameters to include in the authorization request.
To add a parameter:
1. Select a **Parameter** from the drop-down list
1. Enter a **Key** and **Value**
To include an additional parameter, choose **Add parameter**.
1. Choose **Create Connection**.
**Note**
For connections for private endpoints, EventBridge creates the necessary resource association when it create the connection. This can take up to 90 seconds.