0

Question: If I add a VPC to the Lambda, does it loose access to AWS services like DynamoDB? ***

My Lambda needs to do a fetch two HTTPS services (technically one is wss). As I understand Lambdas, they can't get to anything, even AWS services unless given. The Lambda already was able to access DynamoDB tables, but I wanted to give it the REST services as well. I read somewhere that the Lambda can't really connect almost anywhere without associating it with a VPC. To do that, I added an inline policy as described at AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

The Lambda has a custom role which has AWS Policies:

AmazonS3FullAccess AmazonAPIGatewayInvokeFullAccess AmazonDynamoDBFullAccess AWSLambdaBasicExecutionRole

plus an inline policy (literally from the SO link above)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}
Woodsman
  • 901
  • 21
  • 61

1 Answers1

1

As long as you configure the lambda to use a subnet in your VPC that has internet access then it will be able to reach DynamoDB just fine. I suggest you specify two subnets for high availability. If you use private subnets then you'll need to create NAT gateways so that they have internet access. Access to AWS services could get a bit more complex if you're using something like VPC endpoints, but if you're not using those in your VPC then it's not something you need to worry about.

Also, you really only need to use VPCs/Subnets with your lambda if it needs access to resources that reside within the VPC (such as an RDS cluster, or some API that is not publicly available). Otherwise, if you don't specify a vpc, your lambda will have internet access by default.

  • I added the VPC because it was stalling when trying to do a REST request that normally takes 200-800ms, so I thought it was timeout issue. Being Node, it's hard to tell if it's a network issue, or that classic Promise that never runs. By default though, an AWS lambda can reach the outside world and a DynamoDB (within my account) without any network configuration? – Woodsman Nov 13 '22 at 04:46
  • Correct, a lambda will have internet access without being associated to a VPC. Here is some documentation from AWS around the networking for lambda https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html –  Nov 13 '22 at 05:10