Can lambdas inside a private subnet still receive data from SQS ?

Question

I'm in progress of moving my lambda over to the VPC to achieve security requirements for my organization. I have a use case that requires me to implement lambda inside a vpc in order to send EGRESS traffic from lambda to one of our internal services via the DMZ in our network.

Problem is this lambda also receives egress traffic from SQS via another non-AWS service. I have concerns if my lambda is in a private network if it will still be able to receive SQS data from this non-AWS service that's ingesting dating into AWS. I am also using another non-AWS service that is sending data to the lambda via.

After looking at a re-invent video I was informed that NAT gateway can only send data on Egress traffic outside the network. It didn't necessarly specify if there's a workaround to receive engress traffic or if it's possible to receive it from SQS. Nor any possible solutions to achieve this while satisfying good security requirements.

I'm currently referencing this documentation - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/generate-a-static-outbound-ip-address-using-a-lambda-function-amazon-vpc-and-a-serverless-architecture.html

Answer

It is important to understand that even when you configure a lambda function to be VPC enabled, the lambda functions don't actually run inside the customer's VPC. Lambda functions run inside a VPC and AWS account owned by the Lambda service team. The VPC enabled flag only allows lambda functions to connect to resources inside a customer's VPC. You can read up more about this here - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html

So when a lambda function gets invoked by an SQS event source, SQS is not connecting to the lambda service using the customer's VPC. So you should be good.

Can lambdas inside a private subnet still receive data from SQS ?

관련 콘텐츠