Hi,
I am baffled by a use case that I am not able to make sense of. Will appreciate some guidance. Here is the scenario.
VPC:
Created through Control Tower - Landing zone - Account creation.
VPC has 1 public subnet and 3 private subnets.
Public Subnet:
I have Public Subnet accessible from IG per the route table configurations.
Resources in a public subnet are mapped with SecurityGroups which allow internet access.
Private Subnet:
Each private subnet is mapped in a different route table which does not have a mapping to IG.
There is no NAT Gateway in this scenario.
Therefore, no ingress or egress requests outside of VPC.
I do have VPC Endpoints for S3, Dynamodb, and KMS.
NACL:
Allows all inbound and outbound traffic from all sources. Just to keep this simple.
Lambda:
Lambda is created using advanced configuration and is configured to run in a private subnet inside the VPC.
Lambda has a simple job of accessing KMS endpoint and listing all KMS-CMKS(s).
Gateway:
Created a public API with /GET Resource mapped to lambda. Straight forward stuff.
Per my understanding, VPC only has one ingress point IG, not bringing peering or transit gateway or private links into the mix.
Based on the above subnet design and routes, resources in the private subnet should not be accessible to requests coming from outside of VPC. Right?
However, when I issue the GET request to the API, API Gateway is able to invoke the lambda and able to get the results.
I am really confused. Any help will be appreciated.
Meanwhile, I will dig through the documentation.
Regards,
Sandeep