If I have a aws lambda running in a vpc that should access an external application through the internet (nat gateway -> internet gateway) but also have access to internal AWS services through VPC interface endpoint, how does the lambda knows that it should goes to internet only for the external application access?
Asked
Active
Viewed 478 times
1
Mark B
- 183,023
- 24
- 297
- 295
Thiago Scodeler
- 141
- 7
-
1The Lambda function doesn't know. You need to [configure DNS correctly](https://aws.amazon.com/premiumsupport/knowledge-center/vpc-interface-configure-dns/). The subnet has a route table with a more specific (local) route for the VPC endpoint. – jarmod Aug 26 '22 at 14:59
-
@jarmod Thank you for adding more information. Yes, I have configured DNS Hostnames and DNS Resolution params on VPC side and also enable private DNS on VPC endpoint side. On subnet route table I do have the local target route and also the nat target for 0.0.0.0/0 – Thiago Scodeler Aug 27 '22 at 01:07
1 Answers
5
The Lambda function (like anything else in the VPC) uses the VPC's DNS server to resolve any domain name to an IP address. The VPC's DNS server will resolve addresses that you have setup as VPC Interface Endpoints as local addresses.
The route table associated with the subnet understands that local addresses should be routed internally within the VPC, while external addresses should be routed to the NAT Gateway.
Mark B
- 183,023
- 24
- 297
- 295