You're 100% correct. When you put your RDS instance and your Lambda in a VPC, you're putting it on a private network that, by default, has no connectivity to the outside world. Secrets Manager's API endpoints are available only on the public Internet, so for your Lambda to run Secrets Manager API operations, you must equip your VPC with some means of accessing the Internet. The easiest way to do that is to add a NAT gateway that allows requests from the VPC to access the Internet and responses to those requests to make their way back.
I read a lot of recommendations about using a NAT gateway to grant the VPC internet access, but what about this alternative? Going to network interfaces in EC2, finding the ENI labeled "AWS Lambda VPC ENI", and associating a new elastic IP with that interface? I just confirmed this grants internet access to my Lambda, although I have to explicitly associate it with the private subnet of that interface.
This approach isn't mentioned anywhere, and I wonder what its advantages/disadvantages are as compared with using a NAT gateway.
I'd argue that a NAT gateway benefits all of the hosts on the subnet automatically, while an EIP directly affects only the attached host. Also, there is a very significant limit of 5 EIPs per region, so we would not recommend a scheme that results in a 1:1 association between an EIP and a Lambda function. You'd run out of EIPs very quickly.
A NAT also provides some basic filtering that an EIP does not. A NAT essentially filters out all traffic except responses to previous outgoing requests (unless you specifically designate and redirect an incoming port to a specific host).
We recommend that you follow the guidance found in this topic in the Lambda Developers Guide: https://docs.aws.amazon.com/lambda/latest/dg/vpc.html, which very clearly indicates that a NAT gateway is the preferred configuration option.
I hope this helps!
It would be great to have a VPC endpoint for Secrets Manager !
Deploying a NAT Gateway (indeed 3 NAT gtws for 3 stages) only to access Secrets Manager from Lambda is a pity... in particular for cost reasons.
I'm guessing you haven't seen the latest news. :-)
In July we introduced support for configuring Secrets Manager endpoints within your VPC. For more information, see the announcement blogpost here (https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/) or the documentation for this feature (https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotation-network-rqmts.html#vpc-endpoint).
That will simplify all this! I hope this helps!
Tech Writer for Secrets Manager
Thanks Dave, indeed I didn't see the july announcement ! ;)
Great! Can you please flag my response as the correct answer? Thank you very much!
Sorry David, it seems that I'm not able to flag your answer..
- Accepted Answerasked 6 months ago
- Accepted Answerasked 4 years ago
- Why doesn't updating a secret in Secrets Manager automatically update the secret in AWS CloudFormation?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 5 months ago