21

I read many people struggling connection their Lambda to their DynamoDB, because they live in a VPC. But my question is, why use a VPC at all?

VPC are meant to protect services with a direct connection to the outside world (AKA internet). Things like RDS for instance, which are just sitting ducks waiting to be queried by anyone knowing the URL, and therefore can be victim of DDoS, or zero day exploits that could bypass the credentials, amongst other things.

But, AWS Lambda and DynamoDB aren't such things, they don't have a direct connection to internet. Their access is protected by IAM credentials and are de-facto, secure for such DDoS/0Day exploits.

Hence the question, why use a VPC for Lambda/DynamoDB if they don't benefit from it but on the contrary make things more complicated to configure?

I don't see the benefits of using a VPC for either Lambda nor DynamoDB.

But maybe my understanding is wrong?

Vadorequest
  • 16,593
  • 24
  • 118
  • 215
  • 3
    Please explain reasons for downvoting, I like to understand what I do wrong :) – Vadorequest Feb 25 '19 at 16:52
  • And maybe it doesn't feel like the question is so "programming-oriented", but as the serverless world and cloud computing takes more an more importance in our lives (as developers) it's a question I'm asking myself as a developer who does more and more devOps/admin sys work. Looks like I should have posted elsewhere but I personally find it difficult to pinpoint the exact stack exchange forum for questions like this, there are so many. – Vadorequest Feb 28 '19 at 12:31
  • 2
    Down-voting here is somewhat arbitrary. Once I was down-voted for providing pointers to the solution but not the solution itself. I guess some people still expect to be spoon fed. – asr9 Mar 04 '19 at 18:19

1 Answers1

20

If your Lambda function only needs to connect to DynamoDB, then it would be wrong to place the Lambda function in a VPC.

If your Lambda function needs to access an EC2 instance or an RDS instance or some other service running inside the VPC, and also needs to connect to DynamoDB, then the Lambda function would have to run in the VPC and you would need to provide access to DynamoDB via a VPC Endpoint or a NAT Gateway.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1
    Ah, this makes sense indeed! Hadn't thought of that since my Lambda only connect to DynamoDB. I understand better, it's similar to HTTPS, if one service uses HTTPS then all must do otherwise it's not secure/allowed. – Vadorequest Feb 25 '19 at 16:47
  • I have heard concerns about source code security for Lambdas outside VPC. I couldn't follow the conversation back then, but do you have any information in that area? – asr9 Mar 04 '19 at 18:21
  • 4
    @ASR they are deployed on the same servers, regardless if they are "running in the VPC" or not. They are being deployed to AWS servers that aren't really in your VPC, and just getting an Elastic Network Interface (ENI) from your VPC attached to them if you have configured them with VPC access. So either way, the security of the source code would be the same. – Mark B Mar 04 '19 at 18:23