I started to wonder whether or not VPC endpoints is required in following case:
I have an SNS topic that serves as an event bus of some sort. Without dwelling on that topic, lets move further. That SNS is linked to SQS via AWS serverless event source for a lambda. You know, something like:
FoobarEvent:
Type: SNS
Properties:
Topic: !Ref Topic
SqsSubscription: true
And that's it. So I am letting sam
create SQS to queue messages pushed into SNS.
Now, to the point. Lambda itself is configured to stay inside of private subnets.
VpcConfig:
SecurityGroupIds: [...]
SubnetIds: [...]
So naturally, I expect that a VPC interface either or both to SNS and SQS services is required. But!?:
- Is that really so?
- If I won't define endpoints but still have NATs will those be even used?
- If I will have neither endpoints nor NATs will this still work?
I am asking, because it makes sense that would need either SNS endpoint to push from private lambda to it or SQS endpoint to push to that respectively. I can't, though, get my head around what happens in there in the background? Lambda polls on interval on designated queue. But if its in private subnet, how does it reach that queue? And how SNS or SQS reaches each other?