- Newest
- Most votes
- Most comments
Traffic never leaves the AWS network, but will traverse the internet portion of the AWS network as opposed to the internal portions of the AWS network.
If you run a lambda function within a VPC, and provision VPC Endpoints for all of the services that your function uses then traffic will not leave your VPC via the NAT gateway and stay entirely within the 'internal' side of AWS.
It is possible to block any internet access, if all the AWS APIs that your functions call have VPC Endpoints (or you're calling 3rd-party APIs using AWS PrivateLink).
For this example, both SNS and KMS have VPC Endpoints.
To actively block internet traffic, you can do this in multiple ways:
- Security groups let you add all your endpoints into a security group, and allow your function to only communicate with that security group and not the default 0.0.0.0/0
- Configure AWS Network Firewall on the VPC to manage egress traffic.
- Modify the route table for the subnets the functions are configured to use, and remove the default route from that subnet entirely
How far you go down this path will depend on your attitude to risk and regulatory requirements, and the cost/granularity tradeoff - the managed firewall option is more flexible, but costs more compared to using endpoints.
Relevant content
- Accepted Answerasked 9 months ago
- asked a year ago
- Accepted Answer
asked 3 years ago 
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
