1 Answer
- Newest
- Most votes
- Most comments
1
The CIDR Values are what ever subnet you have placed your VPC Endpoints in. So for the Lambda security group, you will 99% of the time need port 443 to the Subnet/IPs of the VPC Endpoints.
If your Lambda is VPC connected, you HAVE too use one of the following
- Use VPC Endpoints for ANY Services Lambda requires
- Lambda function needs to be in a Subnet with a route to a NAT Gateway to at which point its likely you will need 0.0.0.0/0 on port 443 for outbound.
No inbound rules will be needed on Lambda SG for SQS
Relevant content
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
So, in that sense, why does not a Lambda function require any Inbound rule when connecting to S3 or Dynamodb ? Why does the Security group only needs an Outbound rule to the respective Endpoint (for S3 and DynamoDB)?
Because its a TCP Converstation and security groups are stateful. SQS or Dynamodb do not connect to Lambda directly. SQS events triggers a lambda function calling the Lambda APi and not connect to the lambda function
Same for s3. S3 events can trigger a lambda function via the api. If lambda needs to access S3 it’s an outbound connection and. The security groups state full.