sending email from lambda function within private subnet in vpc

Question

- created a lambda in VPC, private subnet with no internet gateway or NAT. 
- created ses VPC endpoint for that private subnet
- allowed all traffic for all ports on security group for now 
- checked zone for ses availability
- tried to send email with nodemailer(smtp) and nodemailer(ses): Failed with no error message. It prints the following:

```
[2024-04-30 12:56:27] DEBUG Sending mail using SMTP/6.9.13[client:6.9.13]
```

- tried to send email with @aws-sdk/client-ses: Failed

All failures had no error message. not even timed out error. It looks the lambda function finishes good but didn't send email.

When I try to send the email using smtp outside of vpc, it works find. So the smtp credential is not an issue.

I followed the instructions on: https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html
The only diffrence seems i'm using lambda. Is it because lambda doesn't own an ip address? 
What else am I missing?

```
let transporter = nodemailer.createTransport({      
      host: 'email-smtp.ap-northeast-2.amazonaws.com',
      auth: {
        user: AWS_ACCESS_KEY_ID,
        pass: AWS_SECRET_ACCESS_KEY,
      },
      debug: true,
      logger: true,      
      secure: false,
      port: 587,
      transactionLog: true
    });

transporter.sendMail(
      {
          from: "YYY@YYY.YYY",
          to: "ZZZ@ZZZ.ZZZ",

subject: 'Message ✓ ' + Date.now(),
          text: 'I hope this message gets sent! ✓'
      },
      (err, info) => {
        console.log('err || info');
        console.log(err || info);
      }
    );
```

Using 587 port for "secure: false": 
```
2024-04-30 22:04:56.875	INFO	[2024-04-30 13:04:56] DEBUG Sending mail using SMTP/6.9.13[client:6.9.13]
2024-04-30 22:04:56.885	INFO	[2024-04-30 13:04:56] INFO  [eEB6BjGP3Vs] Connection established to 10.0.155.178:587
2024-04-30 22:04:56.900	INFO	[2024-04-30 13:04:56] INFO  [3vDf4tGOjw] Connection established to 10.0.155.178:587
2024-04-30 22:04:56.901	INFO	[2024-04-30 13:04:56] DEBUG [Ks1nzE3HZTE] Resolved email-smtp.ap-northeast-2.amazonaws.com as 10.0.136.149 [cache hit]
2024-04-30 22:04:56.902	INFO	[2024-04-30 13:04:56] DEBUG [bmIJOM6Pe9Y] Resolved email-smtp.ap-northeast-2.amazonaws.com as 10.0.155.178 [cache hit]
2024-04-30 22:04:56.902	INFO	[2024-04-30 13:04:56] INFO  [rfeXp9Zumc] Connection closed
```

Using 465 port for "secure: true":

```
2024-04-30 22:11:38.196	INFO	[2024-04-30 13:11:38] DEBUG Sending mail using SMTP/6.9.13[client:6.9.13]
```

Answer

Hello.

If Lambda has not stopped execution due to an error, you should be able to see some changes in the Amazon SES CloudWatch metrics.  
Also, looking at the logs, it appears that the connection to the endpoint is normal.  
Is it possible to send it using something like NAT Gateway instead of VPC endpoint?

Answer

you may want to verify the following possibilities that might be causing email sending failure.
1) https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-policy-examples.html
Verify that the SES VPC endpoint policy 
2) Lambda permissions policy, and attach to it the right IAM role.
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "ses:SendEmail",
 "ses:SendRawEmail"
 ],
 "Resource": "*"
 }
 ]
}

Answer

Hi,

You may be interested by https://stackoverflow.com/questions/63276192/why-does-my-lambda-function-timeout-connecting-to-ses-vpc-endpoint

See answer #1: it explains how to get a private SES endpoint to work with a Lambda

Best,

Didier

sending email from lambda function within private subnet in vpc

Relevant content