How do I subscribe a private HTTP or HTTPS endpoint to my Amazon SNS topic?

4 minute read

I want to subscribe a private HTTP or HTTPS endpoint to my Amazon Simple Notification Service (Amazon SNS) topic. How do I set that up?

Short description

To subscribe a private HTTP or HTTPS endpoint to an Amazon SNS topic, do the following:

Create an Amazon Virtual Private Cloud (Amazon VPC) security group (LambdaSG) in the same Amazon VPC as the private endpoint.
Create an AWS Lambda function inside the same Amazon VPC and subnet as the private endpoint and add it to the LambdaSG security group.
Edit the private endpoint's security group's rules to allow inbound connection from the Lambda function's security group.
Configure the Lambda function so that it passes incoming Amazon SNS notifications to the private endpoint.
Subscribe the Lambda function to your Amazon SNS topic.

Resolution

Create an Amazon VPC security group (LambdaSG) in the same Amazon VPC as the private endpoint

1. Open the Amazon VPC console.

2. In the left navigation panel, under Security, choose Security Groups. Then, choose Create security group.

3. For Security group name, enter LambdaSG.

4. For VPC, choose the Amazon VPC that the private endpoint is in.

5. Choose Create security group.

Create a Lambda function inside the same Amazon VPC and subnet as the private endpoint and add it to the LambdaSG security group

1. Open the Lambda console.

2. Choose Create function.

3. Choose Author from scratch.

4. For Function name, enter a name that describes the purpose of your function. For example, Private-endpoint-Amazon-SNS-topic-subscription.

5. For Runtime, choose Python 3.8.

6. Choose Advanced settings.

7. For VPC - optional, choose the Amazon VPC that the private endpoint is in. Dropdown lists for Subnets and Security groups appear.

8. For Subnets, choose the subnet that the private endpoint is in.

9. For Security groups, choose LambdaSG.

10. Choose Create function.

Edit the private endpoint's security group's rules to allow inbound connection from the Lambda function's security group

1. Open the Amazon VPC console.

2. In the left navigation panel, under Security, choose Security Groups.

3. Choose the name of the private endpoint's security group.

4. Choose Edit inbound rules.

5. For Type, choose HTTP or HTTPS, depending on your use case. The Protocol and Port range fields are populated automatically.

6. For Source, choose Custom. Then, choose the LambdaSG security group.

7. Choose Save rules.

Configure the Lambda function so that it passes incoming Amazon SNS notifications to the private endpoint

1. Create a Lambda deployment package that includes your Lambda function's Python requests library. Follow the instructions in Create the deployment package in Tutorial: Creating a Lambda function in Python 3.8. For step 3, replace the code provided in the tutorial with the following example code snippet.

Python code snippet that uses the requests library to post the incoming notifications from Amazon SNS to the private endpoint

Important: Replace the url value with the URL of your private endpoint.

import json
import requests
 
def lambda_handler(event, context):
    url = "<PRIVATE_HTTP/S_ENDPOINT_URL>"
 
    sns_message_payload = event["Records"][0]["Sns"]
 
    sns_message_headers = {
        "x-amz-sns-message-id": sns_message_payload['MessageId'],
        "x-amz-sns-message-type": sns_message_payload["Type"],
        "x-amz-sns-subscription-arn" : event["Records"][0]["EventSubscriptionArn"],
        "x-amz-sns-topic-arn" : sns_message_payload["TopicArn"]
    }
 
    try:
        r = requests.post(url = url, data = json.dumps(sns_message_payload), headers = sns_message_headers)
    except Exceptions as e:
        print(e)
 
    print(r.content)
 
    return {
        'statusCode': 200,
        'body': json.dumps(r.content)
    }

2. Use the deployment package to update the Lambda function that you created earlier.

Subscribe the Lambda function to your Amazon SNS topic

Follow the instructions in How do I subscribe a Lambda function to an Amazon SNS topic in the same account?

Topics

Application Integration

Relevant content

Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications
Accepted Answer
Andre
asked 5 months ago
configservice subscribe requires sns-topic, but console does not
someawsuser1234
asked 5 years ago
Number messageAttribute delivered as String in Lambda subscriber to SNS Topic
Accepted Answer
CP_2022
asked 2 years ago
SNS subscribe HTTPS endpoint
Noaman Saiyed
asked a year ago
SNS HTTPS Subscription - Invalid parameter: Unreachable Endpoint
AG
asked 2 years ago
How do I subscribe a Lambda function to an Amazon SNS topic in the same account?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot issues when I subscribe an HTTP(S) endpoint to my Amazon SNS topic?
AWS OFFICIALUpdated 4 months ago
How do I configure my cross-account Amazon SQS endpoint to the Amazon SNS topic?
AWS OFFICIALUpdated 10 months ago
Why can't I publish or subscribe to an Amazon SNS topic?
AWS OFFICIALUpdated 2 years ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published 6 months ago