Why can't I send an SES email from an EC2 or Lambda instance that's inside a private Amazon VPC?

Short description

By default, Amazon EC2 instances and Lambda functions that you deploy inside an Amazon VPC don't have direct internet access. To send emails, the Amazon SES API requires an outbound internet connection to communicate with the Amazon SES service.

Resolution

Use the Amazon SES SMTP interface with an Amazon VPC endpoint

To use the Amazon SES Simple Mail Transfer Protocol (SMTP) interface to send emails, complete the following steps:

1. Create a new Amazon VPC endpoint for the Amazon SES SMTP service in your Amazon VPC.
   Note: Amazon VPC endpoints don't support requests across AWS Regions. Create your endpoint in the same Region that you want to issue API calls from.
2. Verify that your instance or Lambda function's access control lists (ACLs) allow outbound traffic to the Amazon SES SMTP endpoint. If you use a Lambda function, then verify that you associated the Amazon SES SMTP endpoint with the same subnets as your Lambda function.
3. Update your application to use the SMTP protocol and connect to the Amazon SES SMTP endpoint.

Connect the Amazon SES API to the internet

Prerequisites: Check that the instance role or Lambda execution role has the ses:SendEmail and ses:SendRawEmail permissions. Also, verify your email address identity or domain identity.

To use the Amazon SES API, set up a NAT gateway in a public subnet to allow internet access from your private subnets. You can also deploy and configure a proxy server in a public subnet to forward internet traffic from your private subnets.

Then, test your connection to the Amazon SES SMTP endpoints.

Note: By default, Amazon EC2 restricts outbound traffic on SMTO port 25 on all instances.

Related information

Using the Amazon SES SMTP interface to send email

Giving Lambda functions access to resources in an Amazon VPC

How do I troubleshoot SMTP connectivity or timeout issues with Amazon SES?