ALB stops communicating with the lambda on the backend when the lambda is decoupled from the VPC.

The issue you're experiencing is likely due to how AWS Lambda functions interact with Application Load Balancers (ALBs) and Virtual Private Clouds (VPCs). When you remove the Lambda function from the VPC, you're changing its networking configuration, which affects how it can be accessed by the ALB.

ALBs are designed to work within VPCs, and when you set up a Lambda function as a target for an ALB, AWS creates the necessary networking components to allow communication between the ALB and the Lambda function within the VPC context. This includes setting up elastic network interfaces (ENIs) that enable the ALB to route requests to the Lambda function.

When you disassociate the Lambda function from the VPC, you're essentially removing these networking components that allow the ALB to communicate with the Lambda function. Even though Lambda can be invoked via API calls, the ALB is expecting to route traffic within the VPC context.

To resolve this issue while still allowing your Lambda function to communicate with the internet using random outbound IPs, you have a few options:

1. Keep the Lambda function in the VPC, but configure the VPC with a NAT gateway in a public subnet. This will allow the Lambda function to access the internet while still being reachable by the ALB.

2. If you absolutely need to remove the Lambda from the VPC, you may need to reconsider your architecture. Instead of using an ALB, you could use API Gateway as the front-end for your Lambda function. API Gateway can invoke Lambda functions that are not associated with a VPC.

3. Another option is to use AWS Global Accelerator in conjunction with your ALB. This might allow you to keep your Lambda function outside the VPC while still routing traffic through the ALB, but this would require careful configuration and testing.

It's important to note that removing a Lambda function from a VPC does change its networking behavior significantly, and it may not be compatible with all existing architectures that depend on VPC integration.
Sources
Lambda function can access the internet from Function URL but not from API Gateway | AWS re:Post
Lambda connected to RDC and Internet doesn't work | AWS re:Post

If you deployed your Lambda function with some infrastructure-as-code tool, it's probably simplest just to deploy another copy outside the VPC and switch your ALB to use the new function as a target.

If redeploying is not convenient, you could try creating a new target group referencing the existing function after it's been detached from the VPC, and then switching the ALB to use the new target group.

Good morning Leo, I didn't understand your suggestion, because in my scenario I already created a dev ALB and a dev target group and lambda, but routing the communication with the lambda outside a VPC and the communication didn't work.