AWS Internal Endpoint

I have a worker service running on an EC2 instance which needs to be triggered from my main application built using serverless and running in lambda’s. Initially I was going to use SQS to do this but the data could - in some cases - potentially be larger than the maximum size of an SQS message.

Therefore I’ve decided it could be better to create an endpoint for the worker service to hit when it received an SQS trigger (any better suggestions appreciated).

The simple way to do this would be to use basic auth but I’d rather not do that.
Is there a way in the serverless framework to make my endpoint only visible to certain AWS resources?

Many Thanks,

You can create private API GWs, reference section “Configuring endpoint types”:

You’ll also need to define VPC Endpoint you are using:

resources:
  Resources:
    #private apigw vpc endpoint & sg
    VPCEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties: 
        PrivateDnsEnabled: False
        SecurityGroupIds: 
          - !GetAtt VpcEndpointSecurityGroup.GroupId
        ServiceName: 'com.amazonaws.us-east-1.execute-api'
        SubnetIds: ${file(./env/local/${opt:stage, self:provider.stage, 'arch'}/vpc.yml):subnetIds}
        VpcEndpointType: Interface
        VpcId: ${file(./env/local/${opt:stage, self:provider.stage, 'arch'}/vpc.yml):vpcId}
    VpcEndpointSecurityGroup:
      Type: 'AWS::EC2::SecurityGroup'
      Properties:
        VpcId: ${file(./env/local/${opt:stage, self:provider.stage, 'arch'}/vpc.yml):vpcId}
        GroupDescription: 'Security group for VPC Endpoint'
        SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 443
            ToPort: 443
            CidrIp: ${self:custom.vpcCidr}
    VpcEndpointLambdaSecurityGroup:
      Type: 'AWS::EC2::SecurityGroup'
      Properties:
        VpcId: ${file(./env/local/${opt:stage, self:provider.stage, 'arch'}/vpc.yml):vpcId}
        GroupDescription: 'Security group for VPC Endpoint Lambda'