Does SNS -> SQS -> Lambda (inside VPC) require VPCEndpoint to READ data?

1
votes

I started to wonder whether or not VPC endpoints is required in following case:

I have an SNS topic that serves as an event bus of some sort. Without dwelling on that topic, lets move further. That SNS is linked to SQS via AWS serverless event source for a lambda. You know, something like:

FoobarEvent:
  Type: SNS
  Properties:
    Topic: !Ref Topic
    SqsSubscription: true

And that's it. So I am letting sam create SQS to queue messages pushed into SNS. Now, to the point. Lambda itself is configured to stay inside of private subnets.

VpcConfig:
  SecurityGroupIds: [...]
  SubnetIds: [...]

So naturally, I expect that a VPC interface either or both to SNS and SQS services is required. But!?:

  1. Is that really so?
  2. If I won't define endpoints but still have NATs will those be even used?
  3. If I will have neither endpoints nor NATs will this still work?

I am asking, because it makes sense that would need either SNS endpoint to push from private lambda to it or SQS endpoint to push to that respectively. I can't, though, get my head around what happens in there in the background? Lambda polls on interval on designated queue. But if its in private subnet, how does it reach that queue? And how SNS or SQS reaches each other?

1
amazon-web-servicesaws-lambdaamazon-sqsamazon-sns
So lambda in a private subnet publishes messages into your SNS->SQS-> other lambda?Marcin
Right now I am publishing to SNS from tests from my own laptop. Messages are reaching the SNS and in turn SQS linked to lambda placed in private subnets.kornicameister

1 Answers

2
votes

Is that really so?

You don't need to use SNS nor SQS enpoints in your VPC, based on the extra info from comments.

If I won't define endpoints but still have NATs will those be even used?

NAT is also not needed if your lambda function does not need to call external APIs or access internet.

If I will have neither endpoints nor NATs will this still work?

Yes, unless your function needs to access internet to access external API or invoke some other AWS services.