- Newest
- Most votes
- Most comments
When you add a VPC Gateway Endpoint for DynamoDB, the table routing is automatically added for you. Your normal DynamoDB Client with the standard endpoint will always choose the Gateway Endpoint to route traffic, unlike Interface Gateway, where you must explicitly set the endpoint.
More information on the configuration can be found here: create-gateway-endpoint-ddb
Many thanks for the above help. What I didnt realise (and still dont understand why) is that having unnecassery subnets configured stops the gateway working. After detaching the unneccassery subnets from my function, I now have DynamoDB working.
To enable DynamoDB access from a Lambda function within a VPC, you should use a DynamoDB Gateway Endpoint, which is the correct and preferred approach. Here's how to set it up and use it:
-
Create a Gateway Endpoint for DynamoDB in your VPC. This doesn't provide a specific DNS URL because it works at the routing level.
-
Ensure that the route table associated with your Lambda function's subnets has a route for the DynamoDB service prefix list (pl-xxxxxxxx) pointing to the gateway endpoint (vpce-xxxxxxxx).
-
Configure your Lambda function to use the VPC and the appropriate subnets.
-
Make sure your Lambda function's IAM role has the necessary permissions to access DynamoDB.
-
In your Lambda function code, you don't need to specify a special endpoint URL. Use the standard DynamoDB endpoint for your region (e.g., dynamodb.us-west-2.amazonaws.com).
The reason you don't get a specific DNS URL with a Gateway Endpoint is that it operates at the network routing level, not at the DNS level. When your Lambda function makes a request to DynamoDB, the VPC's routing table directs the traffic through the Gateway Endpoint, keeping it within the AWS network.
Regarding your confusion about DNS URLs as endpoints: For Interface Endpoints (which you mentioned trying), AWS provides DNS names because these endpoints create elastic network interfaces with private IP addresses in your VPC. However, for DynamoDB, a Gateway Endpoint is the recommended and more cost-effective solution.
If you're still having trouble connecting, double-check the following:
- Verify that the Gateway Endpoint is correctly associated with your VPC and route table.
- Ensure your Lambda function is configured to use the VPC and the correct subnets.
- Check that your Lambda function's IAM role has the necessary permissions for DynamoDB access.
- Make sure your VPC has DNS hostnames and DNS resolution enabled.
By following these steps, your Lambda function should be able to access DynamoDB through the Gateway Endpoint without needing to specify a special endpoint URL in your code.
Sources
Connect to DynamoDB from a Lambda instance in a VPC | AWS re:Post
Securing DynamoDB connections using VPC endpoints and IAM policies" - Amazon DynamoDB
Lambda Function not connecting to DynamoDB via VPC | AWS re:Post
verify gateway endpoint functionality | AWS re:Post
Many thanks for your detailed answer though if you could please break down step 2 into very simple instructions as routes/subnets/CIDR blocks is the area I really struggle with.
[ Ensure that the route table associated with your Lambda function's subnets has a route for the DynamoDB service prefix list (pl-######) pointing to the gateway endpoint (vpce-######). ]
Relevant content
- asked 3 years ago
AWS OFFICIALUpdated 10 months ago
(From my VPC lambda function) I can now access MySQL with the relevant subnets, and DynamoDB with the other subnets. I wish to access both DB's but providing the MySQL subnets breaks DynamoDB (and maybe vice versa). How can I acccess both DB systems?