# VPC & Networking > When to put Lambda in a VPC (rarely). ENI cold start cost. NAT money pit. ## Default: no VPC By default, Lambda runs in an AWS-managed network with internet access. It can reach S3, DynamoDB, SQS, and other AWS services via their public endpoints. **Do not put Lambda in a VPC unless you have a specific reason.** Most applications don't need it. ## When you actually need VPC - Connecting to RDS or Aurora (which live in a private subnet) - ElastiCache (Redis/Memcached) — VPC-only by design - Private REST APIs or internal services on private subnets - Compliance requirements mandating network isolation S3, DynamoDB, SQS, SNS, and most AWS managed services do **not** require VPC placement — they're public services with public endpoints. ## ENI attachment and cold start When Lambda is VPC-attached, each execution environment gets an Elastic Network Interface (ENI) in your VPC. Pre-2019, ENIs were allocated per cold start, adding 10–30 s to init. AWS fixed this in 2019 with hyperplane ENIs shared across environments — today the VPC cold start penalty is ~100–500 ms on the first cold start of a new deployment, then negligible. It's no longer the dealbreaker it used to be, but it's not zero. ## Subnet and AZ placement Specify at least two subnets in different AZs for availability. Lambda will distribute environments across AZs. If a subnet runs out of available ENI slots (IP exhaustion), Lambda scaling fails — size subnets with this in mind. /24 (254 IPs) is often too small for high-concurrency functions. ## The NAT money pit VPC Lambda can't reach the internet by default. If your function needs to call an external API or reach an AWS service without a VPC endpoint, you need a NAT gateway in a public subnet. NAT gateways cost: - **$0.045/hour** (~$32/month) just to exist, per AZ - **$0.045/GB** of data processed A function that sends 100 GB/month through NAT costs $4.50 in data alone, on top of the always-on hourly charge. Two AZs for HA = ~$64/month base cost before a single byte of traffic. This is frequently the largest unexpected cost in VPC Lambda setups. ## VPC endpoints: the free alternative For AWS services, VPC endpoints bypass NAT and the public internet entirely. Two types: - **Gateway endpoints** — S3 and DynamoDB only. Free. Route table entries. No data charge. - **Interface endpoints (PrivateLink)** — any AWS service. $0.01/AZ/hr + $0.01/GB. Expensive for high throughput but often cheaper than NAT for AWS-service-heavy workloads. For a VPC Lambda that only talks to S3 and DynamoDB: create gateway endpoints for both → no NAT needed → near-zero networking cost. ## Security groups VPC Lambda gets a security group. Outbound rules control where it can connect. The security group of RDS/ElastiCache must allow inbound from the Lambda security group. A common pattern is to create a dedicated Lambda SG and reference it in the database SG's inbound rules — this avoids IP-range rules that break when Lambda ENIs change.