AWS Lambda to on-premise via direct connect and AWS PrivateLink?

Hi Mart,

I understand you are looking to connect your Lambda functions to your on-premises environment that is connected to your VPC via Direct Connect, as follows:

Lambda -> VPC -> DX -> on-premises environment

And you would like to know if using PrivateLink is required so the Lamba function uses a Lambda endpoint to connect to your VPC, then DX, then on-premises. Please, let me know if my assumption is incorrect.

Do note that Lambda endpoints are inbound endpoints meaning you use them to call your Lambda functions without using the internet hence all your traffic remains private, as in:

HTTP client -> Lambda endpoint -> Lambda service -> Lambda function

So Lambda endpoints are not outbound endpoints.

From a networking perspective, all Lambda functions (whether yours or other’s) are located, or deployed, inside Lambda service’s VPC. In order for your Lambda function to access your own VPC, what’s happening under the hood is that the Lambda service is using PrivateLink to connect its own service VPC to your own VPC, as in:

Lambda service VPC -> PrivateLink -> your own VPC -> resources hosted in your VPC

Therefore, once you have configured your Lambda to be deployed (or connected) to your VPC [1], as long as your VPC has connectivity to your data center, it will be allowed to route the traffic towards it - whether it uses Direct Connect or other connections, like VPN.

In case my answer doesn’t address your question or you have any follow-up, please let me know.

Hope it helps,

Rocky

References:

[1] Configuring a Lambda function to access resources in a VPC - https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html