mariano/lambda_local_runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update docs

Browse Source
This commit is contained in:
buenosairesam
2026-05-11 20:13:11 -03:00
commit 2ffabb672e
40 changed files with 5869 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
docs/lambdas-md/lambda-09-vpc-networking.md Normal file
View File

@@ -0,0 +1,46 @@
# VPC & Networking
> When to put Lambda in a VPC (rarely). ENI cold start cost. NAT money pit.
## Default: no VPC
By default, Lambda runs in an AWS-managed network with internet access. It can reach S3, DynamoDB, SQS, and other AWS services via their public endpoints. **Do not put Lambda in a VPC unless you have a specific reason.** Most applications don't need it.
## When you actually need VPC
- Connecting to RDS or Aurora (which live in a private subnet)
- ElastiCache (Redis/Memcached) — VPC-only by design
- Private REST APIs or internal services on private subnets
- Compliance requirements mandating network isolation
S3, DynamoDB, SQS, SNS, and most AWS managed services do **not** require VPC placement — they're public services with public endpoints.
## ENI attachment and cold start
When Lambda is VPC-attached, each execution environment gets an Elastic Network Interface (ENI) in your VPC. Pre-2019, ENIs were allocated per cold start, adding 1030 s to init. AWS fixed this in 2019 with hyperplane ENIs shared across environments — today the VPC cold start penalty is ~100500 ms on the first cold start of a new deployment, then negligible. It's no longer the dealbreaker it used to be, but it's not zero.
## Subnet and AZ placement
Specify at least two subnets in different AZs for availability. Lambda will distribute environments across AZs. If a subnet runs out of available ENI slots (IP exhaustion), Lambda scaling fails — size subnets with this in mind. /24 (254 IPs) is often too small for high-concurrency functions.
## The NAT money pit
VPC Lambda can't reach the internet by default. If your function needs to call an external API or reach an AWS service without a VPC endpoint, you need a NAT gateway in a public subnet. NAT gateways cost:
- **$0.045/hour** (~$32/month) just to exist, per AZ
- **$0.045/GB** of data processed
A function that sends 100 GB/month through NAT costs $4.50 in data alone, on top of the always-on hourly charge. Two AZs for HA = ~$64/month base cost before a single byte of traffic. This is frequently the largest unexpected cost in VPC Lambda setups.
## VPC endpoints: the free alternative
For AWS services, VPC endpoints bypass NAT and the public internet entirely. Two types:
- **Gateway endpoints** — S3 and DynamoDB only. Free. Route table entries. No data charge.
- **Interface endpoints (PrivateLink)** — any AWS service. $0.01/AZ/hr + $0.01/GB. Expensive for high throughput but often cheaper than NAT for AWS-service-heavy workloads.
For a VPC Lambda that only talks to S3 and DynamoDB: create gateway endpoints for both → no NAT needed → near-zero networking cost.
## Security groups
VPC Lambda gets a security group. Outbound rules control where it can connect. The security group of RDS/ElastiCache must allow inbound from the Lambda security group. A common pattern is to create a dedicated Lambda SG and reference it in the database SG's inbound rules — this avoids IP-range rules that break when Lambda ENIs change.