☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS Lambda/
🟢
Lambda Networking – Default vs. VPC
🟢

Lambda Networking – Default vs. VPC

Default Deployment Behavior

  • By default, a Lambda function runs in an AWS-owned VPC (not in your account’s VPC).
  • It has public internet access but no access to private VPC resources, such as:
    • RDS or Aurora in private subnets
    • ElastiCache
    • Internal Load Balancers
    • Any service restricted to private subnets
  • Outbound requests to public APIs or internet-hosted services work without extra configuration.
To access private resources, you must connect Lambda to your VPC.

Lambda in a VPC

Configuration

When attaching Lambda to your VPC, you must provide:
  • VPC ID
  • Subnet IDs (at least one)
  • Security Group IDs (at least one)

How It Works

  • Lambda creates Elastic Network Interfaces (ENIs) in the specified subnets.
  • ENIs handle communication between the Lambda function and VPC resources.

Example

  • Lambda can connect to an RDS instance in the same VPC if:
    • Lambda’s security group allows outbound traffic.
    • RDS’s security group allows inbound traffic from Lambda’s security group.