Get startedGet started for free

Accessing private resources in a VPC

1. Accessing private resources in a VPC

Welcome back. In this video, you'll learn what changes when Lambda runs inside a VPC: subnets, security groups, ENIs, and why private subnets need NAT for internet access.

2. What is a VPC?

A VPC is your private network in AWS. It provides address space, routing, and firewall controls so you decide how resources connect.

3. A simple analogy: a gated community

Think of a gated community. Subnets are neighborhoods, security groups are the gate rules, and NAT is the shared exit to the public internet.

4. Why run Lambda in a VPC?

Attach Lambda to a VPC when it must reach private resources, like an internal service or database. Security groups then control what it can connect to.

5. What you configure

To enable VPC, select subnets and a security group. Lambda then gets an IP inside your VPC to reach private endpoints.

6. Subnets: where your function runs

Subnets decide where the function is placed on the network. Private subnets have no direct internet route, so choose subnets that can reach what your handler needs.

7. Security groups: firewall rules

Security groups are firewall rules for the function's network interface. They control inbound and outbound traffic, and outbound rules often determine whether Lambda can reach a database.

8. ENIs and cold starts

In a VPC, Lambda may need to create and attach an ENI, an Elastic Network Interface, before invoking your handler. That extra network setup can add cold-start latency.

9. ENI analogy: plugging in a network cable

An ENI is the network connection for your function, created in your selected subnet, like plugging in a cable to get an IP address. More setup work can mean slower cold starts.

10. Outbound internet access

Private subnets usually cannot reach the public internet. If your function calls public APIs, you need outbound routing, commonly a NAT gateway, or those calls will time out.

11. When do you need NAT?

You need NAT when a private-subnet function must call public internet endpoints. If it only calls private VPC resources, NAT may be unnecessary.

12. Common symptoms when networking is wrong

Networking issues often look like timeouts or connection errors. Timeouts suggest routes or NAT, while refused connections point to security group rules.

13. Best practices

VPC adds complexity, so use it only for private connectivity. Keep the setup minimal, and monitor cold-start latency and connection errors.

14. Key takeaways

VPC gives Lambda private networking through subnets and security groups. ENIs can add cold-start overhead, and private subnets need NAT for outbound internet access.

15. Let's practice!

Now, let's get some practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.