By using AWS re:Post, you agree to the Terms of Use

Lambda in private subnet cannot reach DynamoDB



We are working on a POC related to hardening network security & resources.

We used as model the reference of Building Basic Web Application, link:, where a Lambda invoke from API Gateway post data in to a DynamoDB table.

Here are the changes made:

  • The lambda was set to be inside the VPC and within a private subnet.
  • A NAT Gateway was added for internet access and linked to the route table of the private subnet.
  • A VPC Gateway endpoint was also added so the communication between the lambda and DynamoDB can be done thru the endpoint instead over routes. This endpoint has also been added to the route table of the private subnet.

If we take out the lambda out of the VPC and configure it as "NONE" in the VPC settings, it works fine, just as it suppose to work from the reference previously shared.

We created another lambda, using the "Hello World" template, we added it to the same VPC and it works fine. The problem here is wih the Lambda that post data in to a DynamoDB table.

Error message from Lambda: Task timed out.

It seems that the issue is between the communication from Lambda to DynamoDB, since the other Lambda works fine inside the VPC.

Any advice? Kinldy/please help!

Thank you!

Reference Architecture

1 Answer

The VPC endpoint has an associated security group. The ENI for Lambda Function's VPC attachment also has a security group associated. Please ensure that the VPC endpoint's security group has an ingress rule allowing traffic from the Lambda Function's security group.

Please see here for more details on accessing services using a VPC endpoint.

profile picture
answered 2 months ago
  • Hi Aaron. Thanks a lot for your reply and information. Looking at the settings, we are unable to find the security group of the VPC endpoint since it is a Gateway endpoint to DynamoDB. looking at the documentation shared, security groups on VPC endpoints only are available for Interface endpoints. On the Gateway endpoint for DynamoDB we only have the option to modify the endpoint policy. On the other hand, the security group of the ENI now has the endpoint ID as part of the outbound rules using port 443 and for the destination the endpoint prefix (pl-xxxx). It is still not working.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions