Do we need VPC Endpoints for SNS and SQS if data not originating from any VPC and directly landing in SNS from external source


I am working on a data push mechanism wherein im trying to push data to SNS externally (outside aws boundary). Then its been pushed to SQS from SNS then using trigger it comes to Lambda function where we process it and push it finally into DynamoDB table. Now i have been asked to use VPC Endpoints where ever possible. Getting little bit confused whether we need any VPC Endpoint in this scenario. Because neither SNS nor SQS is within any VPC then how come SNS or SQS endpoints going to be useful here. Please suggest whether we need endpoints here for SNS, SQS, Lambda and dynamo db. I know Lambda does uses micro ec2 instance for each of its worker. please suggest for this as well.

Thanks in advance.

2 Answers

You're spot on!

It's important to remember that some resources are not tied to a traditional network boundary.

For example:

  • Lambda (if deployed within a VPC), EC2, RDS would all have VPC components tied to them such as Subnets, Security Groups.
  • SNS, SQS, DynamoDB, etc do not have traditional VPC components associated with them.

Now. If your resources are within/tied to a VPC (Lambda, EC2 come to mind), and need to communicate with a service - you can then use a VPC Endpoint to allow direct connection over the AWS backbone to connect to the service. That's where the VPC endpoints will come into play. Keep in mind that depending on your company's structure, you may need to use a NAT Gateway to connect outbound to other things (for example

In this use case, VPC Endpoints can often be the most direct path. However, if your resources are not configured within a VPC (for example, a Lambda without a VPC), no such endpoints are needed.

Check out:

Endpoint Policy information:

AWS Services that support Privatelink:

answered 2 years ago
  • Thanks @jsonc for your answer. I really appreciate that. Believe me, before asking this question here, I have gone through a lot. What you have suggested is absolutely correct. Please help me further on this:

    1. I have created Lambda function (and all other services) through Cloud formation templates and not in any VPC. So, would it be a good practice to create it in some non-default VPC and then use endpoints to connect Dynamo DB table?
    2. If we dont need VPC endpoints for SNS and SQS (off course in my case here), what would be the best way of interaction between then in terms of security ? I have followed the basic way which is mentioned in the aws docs.

    Thanks in advance


I'm not 100% clear what you want to do, anyway VPC Endpoints are used to connect to AWS services from inside a VPC without using public traffic.

I don't know how is publishing SNS, but it looks it's something outside AWS.

So in your case it seems to be something like this:

{External to AWS} -> SNS -> SQS -> Lambda -> DynamoDB

For obvious reasons External to AWS to SNS is via public traffic (the normal internet) The traffic between SNS and SQS and between SQS and Lambda is fully managed by AWS, so no much you can do there.

Once the event arrives in Lambda you can have 2 solutions:

  • Lambda is deployed not in a VPC, and so the traffic between Lambda and DynamoDB is via public traffic
  • Lambda is deployed in a VPC and you want to use VPC Endpoint (Gateway endpoint) to DynamoDB, in this case the traffic is kept internally to the VPC.

Be aware that if you deploy your Lambda in a VPC you have some other restrictions, like that lambda won't have direct access to the internet and you would need a NAT in your VPC for the lambda to access internet.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions