By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What are the Inbound and Outbound Rules for connecting a Lambda (inside a VPC) to SQS ?

0

I am trying to connect my Lambda function. The lambda function will send a message to SQS. The Lambda is inside a VPC.

Now, I tried with only

  • Inbound Rule
  • Outbound Rule

at a time, and the task timed out, because the VPC needs to connect to SQS HTTPS link. So, based on my understanding , we need

  • an incoming rule for Lambda from the SQS - to get the message Id after successful
  • an outgoing rule for Lambda - to connect to the SQS

An Endpoint Interface is to make sure that any interaction to and from the Lambda does not go out of the VPC.

My question is :- What are the CIDR values for Inbound and Outbound Rules ? I am allowing all IPs in HTTPS Port 443. But, I want to know, if there would be any exact values for the CIDRs. The Interface for SQS is not being shown in the CIDR option list.

Topics
Networking & Content DeliveryServerlessComputeApplication Integration
Tags
Amazon VPCAWS LambdaAmazon Simple Queue ServiceNetworking & Content Delivery
Language
English
AB
asked 3 months ago280 views
1 Answer
1

The CIDR Values are what ever subnet you have placed your VPC Endpoints in. So for the Lambda security group, you will 99% of the time need port 443 to the Subnet/IPs of the VPC Endpoints.

If your Lambda is VPC connected, you HAVE too use one of the following

  1. Use VPC Endpoints for ANY Services Lambda requires
  2. Lambda function needs to be in a Subnet with a route to a NAT Gateway to at which point its likely you will need 0.0.0.0/0 on port 443 for outbound.

No inbound rules will be needed on Lambda SG for SQS

profile picture
EXPERT
Gary Mclean
answered 3 months ago
profile picture
EXPERT
Kallu
reviewed 3 months ago
  • AB
    3 months ago

    So, in that sense, why does not a Lambda function require any Inbound rule when connecting to S3 or Dynamodb ? Why does the Security group only needs an Outbound rule to the respective Endpoint (for S3 and DynamoDB)?

  • Gary Mclean EXPERT
    3 months ago

    Because its a TCP Converstation and security groups are stateful. SQS or Dynamodb do not connect to Lambda directly. SQS events triggers a lambda function calling the Lambda APi and not connect to the lambda function

  • Gary Mclean EXPERT
    3 months ago

    Same for s3. S3 events can trigger a lambda function via the api. If lambda needs to access S3 it’s an outbound connection and. The security groups state full.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content