Why use a VPC with AWS Lambda or AWS DynamoDB?

13
votes

I read many people struggling connection their Lambda to their DynamoDB, because they live in a VPC. But my question is, why use a VPC at all?

VPC are meant to protect services with a direct connection to the outside world (AKA internet). Things like RDS for instance, which are just sitting ducks waiting to be queried by anyone knowing the URL, and therefore can be victim of DDoS, or zero day exploits that could bypass the credentials, amongst other things.

But, AWS Lambda and DynamoDB aren't such things, they don't have a direct connection to internet. Their access is protected by IAM credentials and are de-facto, secure for such DDoS/0Day exploits.

Hence the question, why use a VPC for Lambda/DynamoDB if they don't benefit from it but on the contrary make things more complicated to configure?

I don't see the benefits of using a VPC for either Lambda nor DynamoDB.

But maybe my understanding is wrong?

1
amazon-web-servicesaws-lambdaamazon-dynamodbamazon-vpc
Please explain reasons for downvoting, I like to understand what I do wrong :) - Vadorequest
And maybe it doesn't feel like the question is so "programming-oriented", but as the serverless world and cloud computing takes more an more importance in our lives (as developers) it's a question I'm asking myself as a developer who does more and more devOps/admin sys work. Looks like I should have posted elsewhere but I personally find it difficult to pinpoint the exact stack exchange forum for questions like this, there are so many. - Vadorequest
Down-voting here is somewhat arbitrary. Once I was down-voted for providing pointers to the solution but not the solution itself. I guess some people still expect to be spoon fed. - asr9

1 Answers

13
votes

If your Lambda function only needs to connect to DynamoDB, then it would be wrong to place the Lambda function in a VPC.

If your Lambda function needs to access an EC2 instance or an RDS instance or some other service running inside the VPC, and also needs to connect to DynamoDB, then the Lambda function would have to run in the VPC and you would need to provide access to DynamoDB via a VPC Endpoint or a NAT Gateway.