3

I have a lambda function within a VPC that rotates rds password. When I test lambda function with secret manager vpc endpoint as following:

  • Case 1. Lambda in public subnet - VPC endpoint attach with public subnet => Rotation is OK
  • Case 2. Lambda in private subnet - VPC endpoint attach with public subnet => Rotation is OK although cloudwatch has one error.
  • Case 3. Lambda in public subnet - VPC endpoint attach with private subnet => Rotation is failed because timeout of lambda function
  • Case 4. Lambda in private subnet - VPC endpoint attach with private subnet => Rotation is OK

I know I should not put the lambda function into public subnet but I want to know how lambda function within subnet works with vpc endpoint.

Can anyone explains why Case 2 is OK although lambda and vpc endpoint are in different subnets.

Hung
  • 459
  • 5
  • 15

1 Answers1

3

why Case 2 is OK

VPC interface endpoints have vpc scope, not subnet scope. This explains why cases 2,1 and 4 work. Because of that, case 3 should also work. Thus, the question is why case 3 did not work?

Possible reasons are that in your tests you made some configuration mistake (wrong security group, for example), or put lambda in a wrong VPC, did not enable Private DNS for the endpoint. Thus I would recommend double checking all the configurations for Case 3 and re-run the experiment.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 1
    You are right. In Case 3, the request from lambda in public subnet -> lambda SG Outbound -> public subnet's NACL outbound -> private subnet's NACL inbound (my problem occurs here because I didn't add https 443 from source CIDR of my VPC) -> ENI attached to VPC endpoint. Thank you. – Hung Apr 11 '21 at 15:43