When should I configure or not configure VPC in AWS Lambda functions

Question

I have an EC2 in a VPC. I created a lambda function without configuring VPC (so lambda console shows No VPC). but it still can start, stop the EC2. (in the lambda service role, I grant permission to start, stop ec2), question 1: Why the lambda can access ec2 even if it is not in the VPC of the ec2?

however, the same lambda function cannot access the web server installed in the EC2 using http://website_of_ec2.com. unless I configure the lambda with VPC, subnet and security group (the same VPC as EC2) question 2: why in this case the lambda need to have VPC configured?

K Mo K Mo · Accepted Answer · 2018-06-13T06:26:08

I have an EC2 in a VPC. I created a lambda function without configuring VPC (so lambda console shows No VPC). but it still can start, stop the EC2. (in the lambda service role, I grant permission to start, stop ec2), question 1: Why the lambda can access ec2 even if it is not in the VPC of the ec2?

In this scenario, the Lambda is not accessing the ec2 instance, it's accessing AWS's ec2 service. This service is a public API that you can call from the CLI or (as I'm guessing your Lambda is doing) an appropriate SDK. This is comparable to the AWS Console, you can start/stop/terminate ec2 instances, but you can't actually log on to an ec2 machine through the Console.

however, the same lambda function cannot access the web server installed in the EC2 using http://website_of_ec2.com. unless I configure the lambda with VPC, subnet and security group (the same VPC as EC2) question 2: why in this case the lambda need to have VPC configured?

In this scenario, there is no public endpoint for your Lambda to connect to the ec2 instance. The Lambda needs access to the VPC in which your ec2 instance resides, hence the extra config required.

When should I configure or not configure VPC in AWS Lambda functions

1 Answers