- Newest
- Most votes
- Most comments
Of course. When a function is attached to a VPC it means that all its OUTBOUND traffic, the traffic initiated by the function, is routed via the ENI in the VPC. Regardless if you attach the function to a VPC or not, the only way to invoke a function is using the public Lambda Invoke API (either directly, like in your case from another function, or indirectly, by another service such as API Gateway or SQS).
For lambda A to be able to invoke lambda B function, lambda A needs to have access to the Lambda service endpoint, regardless if lambda B function runs in a VPC or not.
If Lambda A runs in your VPC it would need to access the Lambda service endpoint either through the internet (e.g., by using a NAT gateway) or using a VPC endpoint.
If Lambda A doesn't run in your VPC then it runs in an AWS managed VPC which has internet connection and therefore will be able to invoke lambda B (assuming the right permissions are in place of course).
Your misconception here is that when you invoke a lambda function you call that function directly. but the way it works is that you are actually calling the Lambda service endpoint.
Lambda(compute resources - firecracker VMs) always runs in AWS managed VPC irrespective of any configuration. When you configure your Lambda to run in your VPC, Lambda being a managed service of AWS just creates hyperplane ENIs inside your VPC unique per security group:subnet combination. This ENI is used for Lambda service to communicate with resources running privately inside your private subnet of your VPC.
Relevant content
- asked 2 years ago
- asked 6 years ago
- asked 5 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
When attaching a lambda to a VPC, I thought it's assigned a private ip so that traffic can be private? And in case that lambda needs access to a private db how it's accessed?
Yes, when a Lambda function is attached to a VPC, it is assigned a private IP address within that VPC, allowing it to interact privately with other resources in the same VPC, including private databases. The Lambda function can access a private database directly using the VPC's internal networking, without the need for the traffic to go through the public internet.
Thank you for your answer. if vpc-attached lambda functions can interact with other resources in the vpc privately, why two lambdas in the same vpc cannot interact privately? I'm asking this because of this "regardless if you attach the function to a VPC or not, the only way to invoke a function is using the PUBLIC Lambda Invoke API"