In VPC, EC2 works, lambda fails on call to iot:describe-endpoint

Question

I have an EC2 instance and a lambda. They have the same:
* region
* VPC
* subnets
* security groups
* inbound rules
* outbound rules
* iot permissions

On EC2:
```
$ aws iot describe-endpoint --endpoint-type iot:Data-ATS
```
returns my accounts endpoint address.

I want to run the equivalent on a lambda:
```
const client = new IoTClient({});
const response = await client.send(
            new DescribeEndpointCommand({ endpointType: "iot:Data-ATS" })
        );
```
client does not return (and the lambda times out).

If I move the lambda out of the VPC, client returns a response and it is correct.

I cannot see why describe-endpoint works on EC2 in a VPC, but not on lambda in the same VPC (with the same apparent subnet, security group, and permissions).

Accepted Answer

Hello.

Is there a route to the NAT Gateway in the route table for the subnet that Lambda is using?  
Even if Lambda is tied to a public subnet, the ENI is not set to a public IP address, so API execution, etc. will fail.  
So you need to set up a NAT Gateway, VPC endpoints, etc. to avoid this.  
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-internet

Answer

Lambda functions that you attach to a VPC do not have internet access like Lambda functions which you do not attach. If your function is attached to a VPC, it must be attached to private subnets and you also need an IoT core VPC endpoint or a NAT Gateway and a route in the private subnets to the NAT Gateway.

You should only attach the function to the VPC if you actually need to access resources within the VPC.

In VPC, EC2 works, lambda fails on call to iot:describe-endpoint

Relevant content