Examining elastic network interfaces

When a Lambda function is configured to run inside a VPC, the Lambda service creates Elastic Network Interfaces (ENIs) in the subnets you specify. These ENIs are how the function connects to private resources like RDS databases.

Each ENI receives a private IP address from the subnet's CIDR range and is governed by the security group rules you attach. Lambda creates ENIs automatically — you don't need to manage them directly. However, this setup process can add time to cold starts, because Lambda must provision or reuse an ENI before the handler can execute.

AWS has significantly improved this with VPC-to-VPC NAT (Hyperplane), which allows ENIs to be shared across execution environments. This reduced VPC cold-start penalties from seconds to milliseconds for most workloads. Still, the ENI creation step remains part of the initialization lifecycle.

Why can enabling VPC connectivity increase cold-start latency for Lambda functions?