Simple scenario
It is common scenario when Lambda needs to write and read data from DynamoDB table. Simple use case for that could be serverless web application:
In this example we do not need to worry about connectivity between services as traffic goes via the Internet and is allowed by default. We just need to create a policy that allows access to a specific Amazon DynamoDB table and attach it to Lambda execution role.
Lambda inside VPC
What if our scenario is little bit more complicated? Let say that our Lambda function needs access also to some resources inside our VPC, for example RDS instance. In that case best option is to deploy Lambda inside VPC.
By default, Lambda runs your functions in a secure VPC (not yours, not accessible directly) with access to AWS services and the internet. When you connect a function to a VPC in your account, it does not have access to the Internet by default. Internet access from a private subnet requires traffic to be routed via, for example, NAT gateway in your public subnet. Now you can think, do I really need to go via the Internet to access other AWS service, such as DynamoDB and pay for outbound traffic? The answer is no – you should use VPC Endpoints!
VPC Endpoints
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring access to the Internet.
There are two types of VPC endpoints:
- Interface – creates ENI (Elastic Network Interface) within your VPC. It uses private DNS record to direct your traffic to the private IP address of that interface. Interface type is used for almost all services.
- Gateway – uses route prefix in your route table to direct traffic. It is used for S3 and DynamoDB only.
How to access VPC Endpoint from AWS Lambda
This is the essence of this post – Gateway vs. Interface differs how you can access them from your Lambda function.
Interface (most of AWS Services)
Interface type endpoint is just an ENI in your VPC. As each interface, it has Security Group attached. To allow access from you Lambda to VPC endpoint you need to configure two security groups, one for Lambda and one for VPC Endpoint. You should refer to security group object in the configuration.
Gateway (only S3 and DynamoDB)
In a gateway there is no security group attached to it, you can control access only via endpoint policies.
Service, like DynamoDB, is identified by a prefix —the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form “com.amazonaws.region.service“.
When you create a DynamoDB endpoint, you specify the VPC route tables that are used to access the service. A route is automatically added to each of the route tables with a destination that specifies the prefix list ID of the service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-xxxxxxxx); for example:
Is that all? You shouldn’t forget to allow connection from your Lambda to DynamoDB in you outbound Security Group rule. But there is no Security Group attached to DynamoDB endpoint, what I should put in Destination? Prefix list ID for DynamoDB!
