How to setup AWS Private link so that Lambda function calls to EC2 instance in the Private Subnet

Question

I am trying to create a private link so that my Lambda function (in Account A) can call (initiate) to the EC2 instance in an another AWS account (Account B) and that EC2 instance is in the Private Subnet.
What I did as of now
1. Created a Network Load Balancer in the Account B and attached the Target group which is registered to the EC2 Instance
2. Created AWS Endpoint Service in Account B and linked to the NLB
3. Created AWS endoint in Account A which is conencted to the AWS Endpoint Service in Account B
4. In the security group added Lambda function's subnet in Account A
5. In the security group in the account B, I have added AWS Endpoint's ENI IP

But still Lambda is not communicating to the EC2 instance, giving Timed Out Error.

I will appreciate any help on it.

Thank you

Riku_Kobayashi · Answer

Hello.

Does Lambda recognize that it is correctly connected to the VPC?  
Also, can you confirm that the created PrivateLink can be used normally? (For example, can I connect with curl command from EC2 etc.?)  
Is the security group setting in item 4 the security group for the VPC endpoint created in account A?

Is the security group set in item 5 an NLB security group?  
In this case, I think the security group needs to allow the CIDR of Lambda's subnet.  
https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html  
> If your Network Load Balancer has a security group, it must allow inbound traffic from the IP addresses of the clients. Alternatively, you can turn off evaluation of inbound security group rules for traffic through AWS PrivateLink. For more information, see Security groups in the User Guide for Network Load Balancers.

How to setup AWS Private link so that Lambda function calls to EC2 instance in the Private Subnet

Relevant content