How can I connect DocumentDB Change Stream as a Trigger Source of Lambda Function in Private VPC?

I'm following this tutorial: https://docs.aws.amazon.com/lambda/latest/dg/with-documentdb-tutorial.html And I found it won't work if I change the VPC settings to a custom VPC with private subnets. I'm stuck with this message in the Lambda Function's Source Trigger:

PROBLEM: Connection error. Your VPC must be able to connect to Lambda and STS, as well as Secrets Manager if authentication is required. You can provide access by configuring PrivateLink or a NAT Gateway.

My use-case is simple. Trigger the Lambda Function by the Change Stream, and write logs(for now, that's enough) in the private subnets. There's no reason to access or to be accessed to/from the public, except Amazon Services itself(Lambda, DocumentDB, SecretsManager, etc...)

Here's my configurations:

1. VPC

• A new VPC
• has two subnets
• all other resources live on private subnets
• private subnets connected with NAT Gateway as well (actually it doesn't seem to be necessary, but just in case)
• also have VPC EndPoints for S3, Lambda, SecretsManager, and even ec2messages and STS

2. DocumentDB

• created with a subnet group that contains only the private subnets in the VPC above
• enabled change stream as well
• a security group that opens all port and source/destination because I failed to connect every attempt. It's really a bummer.

3. Lambda Function

• created in the same private subnets in the VPC
• a security group that opens all port and source/destination
• same source code in the tutorial

It's really difficult to get what's the real problem with the Lambda Function. I hope somebody provides a clean tutorial that works in the private subnets of the custom VPC, not the default one. Thanks.