Home > database >  Lambda Needs REST to external service and DynamoDB table
Lambda Needs REST to external service and DynamoDB table

Time:11-13

Question: If I add a VPC to the Lambda, does it loose access to AWS services like DynamoDB? ***

My Lambda needs to do a fetch two HTTPS services (technically one is wss). As I understand Lambdas, they can't get to anything, even AWS services unless given. The Lambda already was able to access DynamoDB tables, but I wanted to give it the REST services as well. I read somewhere that the Lambda can't really connect almost anywhere without associating it with a VPC. To do that, I added an inline policy as described at AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

The Lambda has a custom role which has AWS Policies:

AmazonS3FullAccess AmazonAPIGatewayInvokeFullAccess AmazonDynamoDBFullAccess AWSLambdaBasicExecutionRole

plus an inline policy (literally from the SO link above)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}

CodePudding user response:

As long as you configure the lambda to use a subnet in your VPC that has internet access then it will be able to reach DynamoDB just fine. I suggest you specify two subnets for high availability. If you use private subnets then you'll need to create NAT gateways so that they have internet access. Access to AWS services could get a bit more complex if you're using something like VPC endpoints, but if you're not using those in your VPC then it's not something you need to worry about.

Also, you really only need to use VPCs/Subnets with your lambda if it needs access to resources that reside within the VPC (such as an RDS cluster, or some API that is not publicly available). Otherwise, if you don't specify a vpc, your lambda will have internet access by default.

  • Related