1

After reading AWS Documentation I read that AWS Lambda can send traffic outside the network via a NAT gateway; which I have.

However, I have an SQS that has messages my lambda is ingesting based on events.

I also have a Lambda inside a VPC with a static IP.

I'm wondering when implementing my security group what ports or/and protocols do I need to allow for my Lambda to receive inbound messages from SQS? Or do I need to use VPC Endpoint for this?

NOTE: My SQS Service is receiving messages from a service outside AWS. So If I need to use a VPC Endpoint I still need this functionality to work. Security policy also does not allow 0.0.0.0 traffic on security group

However, I'm not certain if I need to allow anything in my security group in order to receive traffic from SQS. Or if it will be allowed by default?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Lam2020
  • 47
  • 5
  • 1
    If your AWS Lambda function has been configured to trigger when a message is placed in an Amazon SQS queue, then the Lambda function does not require any access to the SQS queue. Instead, the AWS Lambda _service_ retrieves the message(s) and passes them to the Lambda function via the `event` parameter. The function itself does not need to access SQS. – John Rotenstein Sep 30 '22 at 07:25
  • How do you "have a Lambda inside a VPC with a static IP"? – jarmod Sep 30 '22 at 10:55
  • If the Lambda service is triggering your Lambda function with SQS events then networking, NAT, security groups etc. are all irrelevant to the receipt of SQS messages by your Lambda function. – jarmod Sep 30 '22 at 11:03

1 Answers1

1

if I need to allow anything in my security group in order to receive traffic from SQS

No, you do not have to do anything in therms of SGs. If your lambda IAM execution role allows reading from the SQS, it should all work, whether you are using VPC or not.

Marcin
  • 215,873
  • 14
  • 235
  • 294