Accessing private resources in a VPC

Serverless Applications with AWS Lambda

Claudio Canales

Senior DevOps Engineer

What is a VPC?

  • A VPC is your private network in AWS.
  • It provides address space, routing, and firewall controls.
  • You decide how resources connect.

VPC components overview

Serverless Applications with AWS Lambda

A simple analogy: a gated community

  • Subnets are neighborhoods.
  • Security groups are the gate rules.
  • NAT is the shared exit to the public internet.

Gated community analogy

Serverless Applications with AWS Lambda

Why run Lambda in a VPC?

  • Reach private resources like internal services or databases.
  • Security groups control what Lambda can connect to.

Lambda VPC private access

Serverless Applications with AWS Lambda

What you configure

  • Select subnets.
  • Select a security group.
  • Lambda gets an IP inside your VPC to reach private endpoints.

VPC configuration inputs and effects

Serverless Applications with AWS Lambda

Subnets: where your function runs

  • Subnets decide where the function is placed on the network.
  • Private subnets have no direct internet route.
  • Choose subnets that can reach what your handler needs.

Subnet selection impact

Serverless Applications with AWS Lambda

Security groups: firewall rules

  • Security groups are firewall rules for the network interface.
  • They control inbound and outbound traffic.
  • Outbound rules often determine whether Lambda can reach a database.

Security group bouncer analogy

Serverless Applications with AWS Lambda

ENIs and cold starts

  • ENI = Elastic Network Interface.
  • Lambda may need to create and attach an ENI before invoking your handler.
  • That extra network setup can add cold-start latency.

ENI cold start sequence

Serverless Applications with AWS Lambda

ENI analogy: plugging in a network cable

  • ENI = the network connection for your function.
  • It is created in your selected subnet.
  • More setup work can mean slower cold starts.

ENI cable plug analogy

Serverless Applications with AWS Lambda

Outbound internet access

  • Private subnets usually cannot reach the public internet.
  • Without outbound routing, calls to public APIs will time out.
  • Common approach: a NAT gateway.

NAT gateway outbound flow

Serverless Applications with AWS Lambda

When do you need NAT?

  • Need NAT when calling public internet endpoints.
  • NAT may be unnecessary for private VPC resources only.

NAT need decision diagram

Serverless Applications with AWS Lambda

Common symptoms when networking is wrong

  • Timeouts suggest missing routes or NAT.
  • Refused connections point to security group rules.

Network symptoms checklist

Serverless Applications with AWS Lambda

Best practices

  • Use VPC only for private connectivity.
  • Keep the setup minimal.
  • Monitor cold-start latency and connection errors.

VPC best practices

Serverless Applications with AWS Lambda

Key takeaways

  • VPC gives Lambda private networking.
  • You configure subnets and security groups.
  • ENIs can add cold-start overhead.
  • Private subnets need NAT for outbound internet access.

VPC connectivity tradeoffs

Serverless Applications with AWS Lambda

Let's practice!

Serverless Applications with AWS Lambda

Preparing Video For Download...