I want to give my VPC-enabled AWS Lambda function Internet access. How can I do this?

If your Lambda function needs to access private VPC resources (for example, an Amazon RDS DB instance or Amazon EC2 instance), you must associate the function with a VPC. If your function also requires Internet access (for example, to reach a public service like Amazon DynamoDB), your function must use a NAT gateway or instance.

To add a VPC configuration to your Lambda function, you must associate it with at least one subnet. If the function needs Internet access, you need to follow two rules:

  • The function should only be associated with private subnets.
  • Your VPC should contain a NAT gateway or instance in a public subnet.

Whether a subnet is public or private depends on its route table. Every route table has a default route, which determines the next hop for packets that have a public destination.

  • Private subnet: the default route points to a NAT gateway (nat-...) or NAT instance (eni-...).
  • Public subnet: the default route points to an Internet gateway (igw-...).

If your VPC already has a public subnet (with a NAT) and one or more private subnets for your Lambda function, then you only need to follow the steps in “Configure your function".

Configure your function

Identify your private and public subnets:

  1. In the VPC console, from the navigation pane, choose Subnets.
  2. Select a subnet, and then choose the Route Table tab. Verify the default route:
    public subnet: Destination: 0.0.0.0/0, Target: igw-…
    private subnet: Destination: 0.0.0.0/0, Target: nat-… or eni-…

Associate the function with private subnets:

  1. In the Lambda console, choose your function, and then choose Configuration.
  2. Expand Advanced settings, expand VPC, and then choose your VPC.
  3. Expand Subnets and choose only private subnets.
  4. Expand Security Groups, choose a security group, and then choose Save.

To create a public or private subnet

  1. In the VPC console, from the navigation pane, choose Subnets.
  2. To create a new subnet, choose Create Subnet. Otherwise, choose an existing subnet.
  3. Choose the Route Table tab, and then choose Edit.
  4. From the Change to: drop-down menu, choose an appropriate route table:

For a private subnet, the default route should point to a NAT gateway or NAT instance:

Destination: 0.0.0.0/0
Target: nat-… (or eni-…)

For a public subnet, the default route should point to an Internet gateway:

Destination: 0.0.0.0/0
Target: igw-…

To create a route table for a public or private subnet

  1. In the VPC console, choose Route Tables, and then choose Create Route Table.
  2. In the Name tag field, enter a name that is meaningful to you, select the VPC drop-down menu and choose your VPC, and then choose Yes, Create.
  3. Select the new route table, and then choose the Routes tab.
  4. Choose Edit, and then choose Add another route.
    Destination: 0.0.0.0/0
    Target:
    For a private subnet with a NAT instance: eni-…
    For a private subnet with a NAT gateway: nat-…
    For a public subnet: igw-…

To create an Internet gateway:

  1. In the VPC console, from the navigation pane, choose Internet Gateways, and then choose Create Internet Gateway.
  2. In the Name tag field, enter a name and then choose Yes, Create.
  3. Select the Internet gateway, and then choose Attach to VPC.

To create a NAT gateway:

  1. In the VPC console, from the navigation pane, choose NAT Gateways, and then choose Create NAT Gateway.
  2. In the Subnet field, choose a public subnet.
  3. In the Elastic IP Allocation ID field, choose an existing Elastic IP address, or select Create New EIP, and then choose Create a NAT Gateway.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-09-06