mariano/lambda_local_runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55aa31eff5dc2f86ca3f716c3f8ce28d9c8a2b2e
lambda_local_runner/docs/lambdas-md/lambda-09-vpc-networking.md
buenosairesam 2ffabb672e update docs
2026-05-11 20:13:11 -03:00

47 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# VPC & Networking
> When to put Lambda in a VPC (rarely). ENI cold start cost. NAT money pit.
## Default: no VPC
By default, Lambda runs in an AWS-managed network with internet access. It can reach S3, DynamoDB, SQS, and other AWS services via their public endpoints. **Do not put Lambda in a VPC unless you have a specific reason.** Most applications don't need it.
## When you actually need VPC
- Connecting to RDS or Aurora (which live in a private subnet)
- ElastiCache (Redis/Memcached) — VPC-only by design
- Private REST APIs or internal services on private subnets
- Compliance requirements mandating network isolation
S3, DynamoDB, SQS, SNS, and most AWS managed services do **not** require VPC placement — they're public services with public endpoints.
## ENI attachment and cold start
When Lambda is VPC-attached, each execution environment gets an Elastic Network Interface (ENI) in your VPC. Pre-2019, ENIs were allocated per cold start, adding 1030 s to init. AWS fixed this in 2019 with hyperplane ENIs shared across environments — today the VPC cold start penalty is ~100500 ms on the first cold start of a new deployment, then negligible. It's no longer the dealbreaker it used to be, but it's not zero.
## Subnet and AZ placement
Specify at least two subnets in different AZs for availability. Lambda will distribute environments across AZs. If a subnet runs out of available ENI slots (IP exhaustion), Lambda scaling fails — size subnets with this in mind. /24 (254 IPs) is often too small for high-concurrency functions.
## The NAT money pit
VPC Lambda can't reach the internet by default. If your function needs to call an external API or reach an AWS service without a VPC endpoint, you need a NAT gateway in a public subnet. NAT gateways cost:
- **$0.045/hour** (~$32/month) just to exist, per AZ
- **$0.045/GB** of data processed
A function that sends 100 GB/month through NAT costs $4.50 in data alone, on top of the always-on hourly charge. Two AZs for HA = ~$64/month base cost before a single byte of traffic. This is frequently the largest unexpected cost in VPC Lambda setups.
## VPC endpoints: the free alternative
For AWS services, VPC endpoints bypass NAT and the public internet entirely. Two types:
- **Gateway endpoints** — S3 and DynamoDB only. Free. Route table entries. No data charge.
- **Interface endpoints (PrivateLink)** — any AWS service. $0.01/AZ/hr + $0.01/GB. Expensive for high throughput but often cheaper than NAT for AWS-service-heavy workloads.
For a VPC Lambda that only talks to S3 and DynamoDB: create gateway endpoints for both → no NAT needed → near-zero networking cost.
## Security groups
VPC Lambda gets a security group. Outbound rules control where it can connect. The security group of RDS/ElastiCache must allow inbound from the Lambda security group. A common pattern is to create a dedicated Lambda SG and reference it in the database SG's inbound rules — this avoids IP-range rules that break when Lambda ENIs change.
Reference in New Issue View Git Blame Copy Permalink