SES via Lambda in VPC

You'll also need to add the endpoint_url parameter when you create the SES client with boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html

Thank you, Uri, for your response. The article you shared is what I originally started with, but perhaps I was unaware of some detail or I added extra complexity. I tried following the steps in the article again. I assigned subnets to a VPC interface endpoint for the email.smtp service. For the VPC itself, one of the subnets is in an AZ not supported by SES, but I did not assign that subnet to the interface endpoint--I only assigned the other 3 subnets which are supported by SES. The EC2 instance I created was private (only having a private IPv4 address). I included a CIDR of the IPv4 address as the source for the endpoint's security group. With the mentioned restricted traffic for port 25, I am using port 587 in the security group's inbound rule. I have not included anything in terms of NAT gateway, Direct Connect, or other resources/services. I am still seeing a task timeout with my boto3 lambda for using SES.

I am not finding any specific guidance on how the routing table should be configured for SES. The route table for the VPC has no explicit subnet associations. The subnets without explicit association are all four subnets for the VPC (including the one in an AZ not supported by SES)--I do not know if that matters based on what I shared in the first paragraph. Are there any specific configurations needed in the route table to tie the VPC to SES?

Is there only one EC2 instance needed?

Thank you!

Brettski-AWS mentioned adding the endpoint_url parameter for the boto3 client. I am not sure what value to give. I am invoking the lambda through the lambda console only......I don't plan to connect any resource to the lambda for invocation purposes.

The endpoint url can be found in the console where you created the SES endpoint.

Hi Brettski, I tried the Private DNS listed for the VPC Endpoint as the endpoint_url value. As a result, I got an "Invalid Endpoint" error.

If you look at the below github issue, there is a feature request to be able to use the Private DNS as the endpoint_url, but for now, they are saying SMTP must be used in place, which means Python's smtplib as a possible approach. https://github.com/aws/aws-sdk/issues/181

Programmatic email sending examples here: https://docs.aws.amazon.com/ses/latest/dg/send-using-smtp-programmatically.html

I am not seeing where any other gateways are needed.

Is this the expected behavior, or would I still need other resources such as a NAT gateway?