AWS Lambda

Advanced Topics

Lambda Networking

Learn how AWS Lambda connects by default and explore strategies for accessing private VPC resources or enforcing stricter controls.

Default Lambda Service VPC

When you create a Lambda function, AWS places it into a managed Virtual Private Cloud (VPC) called the Lambda service VPC. This isolated environment lets Lambda scale automatically without requiring your own VPC infrastructure.

The image is a diagram illustrating AWS Lambda networking within a cloud environment, showing connections between Lambda functions, EC2 instances, and databases within Virtual Private Clouds (VPCs).

Key features of the default Lambda service VPC:

FeatureDescription
Outbound Internet AccessEnabled by default for calling public endpoints.
AWS Service ConnectivityDirect access to AWS APIs, governed by IAM permissions.

Note

The default Lambda service VPC cannot communicate with resources in your private VPCs. Use one of the options below to reach EC2 instances, private databases, or to lock down internet access.

Connecting to Private VPC Resources

To access private VPC resources or remove default internet access, choose one of these methods:

  1. Deploy Lambda inside your VPC.
  2. Use an interface VPC endpoint to bridge the AWS-managed VPC and your private VPC.

The image illustrates a Lambda networking setup with two Virtual Private Clouds (VPCs) connected via an interface endpoint.

Option 1: Run Lambda in Your Private VPC

Attach your function to a custom VPC via the Lambda console:

  1. Open your function and scroll to Advanced settings.
  2. Choose your VPC, select subnets across Availability Zones, and assign security groups.
  3. Save to deploy the function inside your VPC.

The image shows a screenshot of the "Advanced settings" section for configuring AWS Lambda networking options, including code signing, function URL, tags, and VPC settings.

Consider these trade-offs when running Lambda in a private VPC:

ConsiderationDetails
High AvailabilityUse subnets in multiple AZs. A failure in one AZ affects only functions in that AZ.
Internet ConnectivityPrivate VPC functions lose default internet access. Deploy NAT gateways per AZ to restore outbound traffic.
AWS Service AccessVPC-deployed functions cannot reach AWS services without VPC endpoints.
Additional CostsExpect charges for NAT gateways, interface endpoints, and Elastic Network Interfaces (ENIs).
ENI LimitsEach concurrent execution creates an ENI. Reaching the ENI quota in your VPC or region caps Lambda concurrency.

Warning

Be mindful of ENI limits: exceeding the Elastic Network Interface quota in your VPC will throttle new concurrent executions. Request a limit increase if necessary.

Option 2: Use an Interface VPC Endpoint

Keep Lambda in the AWS-managed VPC and create an AWS Lambda interface endpoint in your private VPC. This approach offers:

  • Secure, private connectivity to your VPC resources
  • Continued internet and AWS service access managed by AWS
  • No ENI-based concurrency constraints in your VPC
  • A minimal hourly cost for the interface endpoint

To configure:

  1. Open the VPC console.
  2. Select Endpoints > Create Endpoint.
  3. Choose AWS services and pick com.amazonaws.<region>.lambda.
  4. Associate with your private subnets and security groups.
  5. Create the endpoint.

Once configured, Lambda functions can securely reach private resources without sacrificing internet access or hitting ENI concurrency limits.

Watch Video

Watch video content

Previous
Monitoring Options