Can lambdas inside a private subnet still receive data from SQS ?


I'm in progress of moving my lambda over to the VPC to achieve security requirements for my organization. I have a use case that requires me to implement lambda inside a vpc in order to send EGRESS traffic from lambda to one of our internal services via the DMZ in our network.

Problem is this lambda also receives egress traffic from SQS via another non-AWS service. I have concerns if my lambda is in a private network if it will still be able to receive SQS data from this non-AWS service that's ingesting dating into AWS. I am also using another non-AWS service that is sending data to the lambda via.

After looking at a re-invent video I was informed that NAT gateway can only send data on Egress traffic outside the network. It didn't necessarly specify if there's a workaround to receive engress traffic or if it's possible to receive it from SQS. Nor any possible solutions to achieve this while satisfying good security requirements.

I'm currently referencing this documentation -

1개 답변

It is important to understand that even when you configure a lambda function to be VPC enabled, the lambda functions don't actually run inside the customer's VPC. Lambda functions run inside a VPC and AWS account owned by the Lambda service team. The VPC enabled flag only allows lambda functions to connect to resources inside a customer's VPC. You can read up more about this here -

So when a lambda function gets invoked by an SQS event source, SQS is not connecting to the lambda service using the customer's VPC. So you should be good.

profile pictureAWS
답변함 일 년 전
profile pictureAWS
검토됨 일 년 전
  • Just to add that all Lambda invocation happen via the Invoke API, which is a public API exposed by the Lambda service.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠