Python Lambda SES Timeout


My SES account is out of sandbox. I am trying to send emails with SES using a Python lambda that is in a VPC. I know that the lambda being in a VPC is why I am having a task timeout when trying to run any boto3 SES SDK code. Note: I intend for this lambda to be invoked only through the Lambda console, not through API Gateway or another resource.

I have followed the steps in this article:

I assigned subnets to a VPC interface endpoint for the email.smtp service. For the VPC itself, one of the subnets is in an AZ not supported by SES, but I did not assign that subnet to the interface endpoint--I only assigned the other 3 subnets which are supported by SES. The EC2 instance I created was private (only having a private IPv4 address). I included a CIDR of the IPv4 address as the source for the endpoint's security group. With the restricted traffic for port 25, I am using port 587 in the security group's inbound rule. I have not included anything in terms of NAT gateway, Direct Connect, or other resources/services. I am still seeing a task timeout with my boto3 lambda for using SES.

I am not finding any specific guidance on how the route table should be configured for SES. The route table for the VPC has no explicit subnet associations. The subnets without explicit association are all four subnets for the VPC (including the one in an AZ not supported by SES)--I do not know if that matters based on what I shared in the first paragraph.

Is there something additional I need to cover?

Do I need to use special SMTP credentials when integrating with SES this way?

Are there any specific configurations needed in the route table to tie the VPC to SES?

Is there only one EC2 instance needed?

1 Answer

I assume this is related to your other question.

When creating Interface Endpoints for services such as SES you don't need to modify the route table. When you create the endpoint you nominate the subnets where you want the endpoint to be created. Because the endpoints use a local IP address there is no need to change the route table.

When you call the SES service the credentials used will be that of the Lambda function or EC2 instance - you can assign a role to each of those with the appropriate permissions. That's assuming you are calling the SES API using boto3.

If you are using port 25/587 then you will need NAT Gateway to reach the SES endpoint. Definitely easier to use the endpoint and boto3 in my opinion.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions