This chapter covers Lambda function execution inside an Amazon Virtual Private Cloud (VPC), a critical topic for the DVA-C02 exam. Understanding VPC networking is essential because many enterprise applications require Lambda to access private resources like RDS, ElastiCache, or internal APIs. Approximately 10-15% of exam questions touch Lambda networking, with VPC configuration being a frequent differentiator. You will learn how Lambda attaches to your VPC, the implications for internet access, cold starts, and how to troubleshoot common misconfigurations.
Jump to a section
Imagine a consultant (Lambda) who normally works from a co-working space (AWS public endpoints) and can access any public resource on the internet. One day, the consultant needs to work inside a highly secure corporate office (VPC) that has no public entrance—only a private internal network. The corporate office has a strict policy: no one can walk in from the street; everyone must enter through a designated security checkpoint (Elastic Network Interface, ENI) that is pre-registered. To get inside, the consultant must first be issued a special badge (ENI) that identifies them as an employee of the building. This badge is attached to the consultant's laptop, giving them a private internal extension (private IP address) within the office. Now the consultant can access internal resources like printers (RDS databases) or file servers (ElastiCache) inside the office. However, the consultant can no longer access the public internet—the office has no outward-facing door. If the consultant needs to access a public website (e.g., AWS APIs or external services), they must go through a designated outgoing phone line (NAT Gateway or VPC endpoints) that the office provides. Without that, the consultant is completely isolated. Also, the consultant cannot receive unsolicited calls from outside—only outbound connections initiated from inside work. This mirrors Lambda in a VPC: the function gets an ENI with a private IP, loses internet access by default, and must use NAT/VPC endpoints for outbound connectivity. The ENI creation takes time (cold start), just like issuing a badge takes a few minutes.
By default, AWS Lambda functions run in a secure, AWS-managed VPC that has full internet access. This means they can reach any public endpoint—AWS service endpoints, external APIs, etc.—without any additional configuration. However, many workloads require Lambda to access resources that reside inside a customer-controlled VPC, such as:
Amazon RDS databases (private subnet)
Amazon ElastiCache clusters (private subnet)
Internal HTTP APIs running on EC2 or containers (private subnet)
VPC-only services like Amazon Redshift in VPC
To enable this, you must configure the Lambda function to run inside your VPC. When you do, Lambda creates an Elastic Network Interface (ENI) for each combination of function version, subnet, and security group. This ENI gives the function a private IP address from your VPC subnet, allowing it to communicate with other resources in the VPC as if it were an EC2 instance. However, this also removes the function's default internet access—a common source of confusion and exam traps.
How Lambda VPC Attachment Works Internally
When you configure a Lambda function with VPC settings (subnet IDs and security group IDs), AWS Lambda uses the Hyperplane ENI service to manage network connectivity. Here is the step-by-step mechanism:
ENI Creation: The first time a Lambda function with VPC configuration is invoked (or when the configuration is updated), Lambda creates one or more ENIs in the specified subnets. The number of ENIs depends on the number of subnets and the function's concurrency. Each ENI is attached to the Lambda service's VPC infrastructure, not directly to the function's execution environment.
IP Allocation: Each ENI gets a private IP address from the subnet's CIDR range. This IP is used for all traffic between the Lambda function and other VPC resources. The ENI also gets a security group applied, which controls inbound and outbound traffic.
Traffic Routing: When the function executes, all traffic destined for the VPC's CIDR range is routed through the ENI. Traffic to other destinations (including internet, other VPCs via peering, or AWS public endpoints) is routed based on the VPC's route tables. By default, a VPC's main route table only has a local route; there is no internet gateway, so internet traffic is dropped.
Cold Start Impact: Creating ENIs adds significant latency to cold starts. The first invocation after a period of inactivity (or a deployment) must wait for the ENI to be provisioned. AWS has improved this with the Hyperplane ENI technology, but cold starts can still be 5-10 seconds longer than non-VPC functions.
Concurrency and ENI Limits: Each ENI can support a certain number of concurrent executions. AWS documentation states that a single ENI can handle up to 1,000 concurrent executions. If you need more concurrency, Lambda automatically creates additional ENIs. The total number of ENIs across all functions in a region is subject to service quotas (default: 250 ENIs per region).
Key Components, Defaults, and Timers
Subnets: You must specify at least one subnet (up to 16). Lambda will spread ENIs across these subnets for high availability. The subnets must have at least 2 free IP addresses per ENI (one for the ENI itself, one for the function).
Security Groups: You can specify up to 5 security groups. These act as a virtual firewall for the Lambda function's ENI. Inbound rules are mostly irrelevant because Lambda functions do not accept inbound connections; outbound rules control what the function can reach.
ENI Creation Time: Typically 30-90 seconds for the first ENI. Subsequent ENIs for the same function are faster because the infrastructure is warmed.
ENI Lifecycle: ENIs are created when the function is first invoked after VPC configuration. They are deleted when the function is deleted or when VPC configuration is removed. They persist across invocations to reduce cold starts.
Internet Access: By default, a Lambda function in a VPC has no internet access. To give it internet access, you must:
- Place the function in a private subnet. - Attach a NAT Gateway (or NAT instance) to a public subnet. - Add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway. - AWS Service Access: To access AWS services (e.g., S3, DynamoDB) without internet, use VPC Endpoints (Gateway or Interface endpoints). This keeps traffic within the AWS network and avoids NAT costs. - Execution Role: The Lambda function's execution role must have permissions to create, describe, and delete ENIs. The required actions are: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface - ec2:AssignPrivateIpAddresses These are automatically added if you use the AWS managed policy AWSLambdaVPCAccessExecutionRole.
Configuration and Verification Commands
To configure a Lambda function in a VPC using the AWS CLI:
aws lambda update-function-configuration \
--function-name my-function \
--vpc-config SubnetIds=subnet-12345678,subnet-87654321,SecurityGroupIds=sg-12345678To remove VPC configuration:
aws lambda update-function-configuration \
--function-name my-function \
--vpc-config {}To verify the ENI creation:
aws ec2 describe-network-interfaces \
--filters Name=description,Values="*Lambda*" Name=vpc-id,Values=vpc-12345678You can also check the function's VPC config:
aws lambda get-function-configuration --function-name my-functionLook for the VpcConfig field.
Interaction with Related Technologies
Lambda@Edge: Lambda@Edge functions run at CloudFront edge locations and cannot be attached to a VPC. They are intended for lightweight request/response manipulation.
Lambda with RDS Proxy: To avoid connection exhaustion when Lambda accesses RDS, use RDS Proxy. The Lambda function still needs VPC access to reach the proxy.
Lambda with VPC Endpoints: For accessing S3 or DynamoDB from a VPC Lambda, use Gateway Endpoints (free) or Interface Endpoints (hourly charge). This avoids NAT Gateway costs and improves security.
Lambda with Secrets Manager: If your Lambda needs to rotate secrets in a VPC, it must be in the VPC to reach the RDS instance, but it also needs outbound internet access (via NAT) to call Secrets Manager endpoints unless you use a VPC endpoint for Secrets Manager.
Configure Lambda with VPC Settings
When you create or update a Lambda function, you specify one or more subnet IDs and security group IDs in the VPC configuration. This triggers the Hyperplane service to prepare network infrastructure. The function's execution role must include permissions for EC2 actions: CreateNetworkInterface, DescribeNetworkInterfaces, DeleteNetworkInterface, and AssignPrivateIpAddresses. Without these, the function will fail with an 'EC2 access denied' error. The VPC and subnets must be in the same AWS region as the Lambda function.
Hyperplane Creates Elastic Network Interfaces
AWS Lambda uses a fleet of 'Hyperplane' workers to create ENIs in the specified subnets. Each ENI is assigned a private IP from the subnet range and is attached to the Lambda service's VPC infrastructure. The ENI is not directly attached to the function's execution environment; instead, traffic is routed through the Hyperplane layer. This design allows Lambda to scale without consuming your subnet IPs linearly with concurrency. One ENI can handle up to 1,000 concurrent executions.
Execution Environment Launches with ENI
When a Lambda function is invoked, the service allocates an execution environment (a microVM) and connects it to the appropriate ENI. The function sees a network interface with the private IP, allowing it to communicate with other VPC resources. The security group rules on the ENI control outbound traffic. For inbound traffic, security group inbound rules are irrelevant because Lambda functions cannot receive inbound connections—they are always invoked by an event source.
Traffic Routing and Internet Access Check
The ENI routes traffic according to the VPC's route tables. If the function tries to reach an IP outside the VPC CIDR (e.g., 8.8.8.8), the packet is forwarded to the subnet's route table. By default, private subnets have no route to an internet gateway, so the packet is dropped. To enable outbound internet, you must add a route 0.0.0.0/0 to a NAT Gateway or NAT instance in a public subnet. Alternatively, for AWS service endpoints, use VPC endpoints to keep traffic within the AWS network.
Cold Start and ENI Warm-Up
The first invocation after a period of inactivity (or after updating VPC config) incurs a cold start that includes ENI creation time. This can add 5-10 seconds to the latency. Subsequent invocations reuse existing ENIs, so cold starts are faster. To mitigate, you can use Provisioned Concurrency to keep execution environments and ENIs warm. Also, consider using a VPC with multiple subnets to spread ENIs and reduce the chance of hitting IP exhaustion.
Scenario 1: Lambda Accessing RDS in Private Subnet
A financial services company runs a microservices architecture where Lambda functions process transactions and write to an Amazon RDS MySQL instance. The RDS is in a private subnet for security. The Lambda function must be in the same VPC to connect. The team configures the Lambda with two private subnets in different Availability Zones for high availability. They also create a security group for the Lambda that allows outbound TCP 3306 to the RDS security group. The RDS security group allows inbound TCP 3306 from the Lambda security group. This works well, but the team notices that cold starts are slow (8-10 seconds). They implement Provisioned Concurrency to keep 10 environments warm, reducing latency to under 1 second. They also set up RDS Proxy to manage database connections efficiently, as Lambda's short-lived nature can exhaust RDS connections. Common misconfiguration: forgetting to add the Lambda security group to the RDS security group's inbound rule, causing connection timeouts.
Scenario 2: Lambda with External API Access via NAT Gateway
A retail company uses Lambda to process orders and send confirmation emails via a third-party email API (e.g., SendGrid). The Lambda function also needs to read from a DynamoDB table. The function is placed in a VPC to access a legacy on-premises database via Direct Connect. To reach the email API and DynamoDB, the team must provide internet access. They create a public subnet with a NAT Gateway (Elastic IP attached) and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway. For DynamoDB, they also create a Gateway VPC Endpoint to avoid NAT costs and improve security. The cost of the NAT Gateway is significant ($0.045/hour + data processing). The team monitors CloudWatch metrics for NAT Gateway bytes and decides to use VPC endpoints for all supported services. Common pitfall: forgetting to update the route table after creating the NAT Gateway, causing the Lambda to time out when calling external APIs.
Scenario 3: Lambda with VPC Endpoints for AWS Services
A healthcare startup processes patient data and stores it in S3. Lambda functions, which must be in a VPC to access a private Elasticsearch cluster, also need to read/write to S3. To avoid internet exposure and NAT costs, the team creates a Gateway VPC Endpoint for S3 in the same region. They add a route in the private subnet's route table for the S3 prefix list (e.g., com.amazonaws.us-east-1.s3) pointing to the endpoint. The Lambda function's IAM role grants S3 access. The team tests and finds that S3 operations work without internet. They also set up an Interface VPC Endpoint for CloudWatch Logs to send logs without internet. Common misconfiguration: using a Gateway Endpoint for a service that requires an Interface Endpoint (e.g., Kinesis, SQS). Gateway Endpoints only work for S3 and DynamoDB. For other services, you must use Interface Endpoints (powered by PrivateLink), which incur hourly charges.
What the DVA-C02 Tests on Lambda VPC
The DVA-C02 exam (Objective 1.1: Develop, test, and deploy code using AWS services) specifically tests your understanding of:
How to configure Lambda to access resources in a VPC.
The implications of VPC attachment on internet access and cold starts.
How to troubleshoot connectivity issues (e.g., missing routes, security group rules, IAM permissions).
The use of VPC endpoints and NAT Gateways to restore outbound connectivity.
The difference between Lambda in VPC and Lambda outside VPC.
Common Wrong Answers and Why Candidates Choose Them
"Lambda in a VPC can access the internet by default." This is false. Many candidates assume that because Lambda normally has internet access, placing it in a VPC retains that access. In reality, VPC attachment removes internet access unless you explicitly add a NAT Gateway or VPC endpoints.
"You must assign a public IP to the Lambda function." Lambda functions cannot have public IPs. The ENI gets a private IP only. To reach the internet, you need a NAT Gateway with an Elastic IP, not a public IP on the function itself.
"Lambda in VPC always has the same cold start as non-VPC Lambda." This is wrong because ENI creation adds significant latency. Cold starts for VPC functions are 5-10 seconds longer on average.
"You can attach Lambda to a VPC using a VPC peering connection." Lambda must be in the same VPC as the resources it accesses. VPC peering does not allow Lambda to be attached to a peered VPC; you would need to use a Transit Gateway or VPC endpoint.
Specific Numbers and Terms on the Exam
Maximum subnets: 16
Maximum security groups: 5
Default ENI concurrency limit: 1,000 concurrent executions per ENI
Default ENI quota per region: 250
ENI creation time: 30-90 seconds
IAM actions required: ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface, ec2:AssignPrivateIpAddresses
Managed policy: AWSLambdaVPCAccessExecutionRole
Edge Cases and Exceptions
Lambda with VPC and no internet access: If the function tries to call an AWS service without a VPC endpoint, it will time out. The exam may present a scenario where the function fails to write to S3, and the answer is to add a VPC endpoint for S3.
Lambda with multiple subnets: If one subnet has no route to the NAT Gateway, invocations in that subnet will fail to reach the internet. The exam may test that you need consistent routing across all subnets.
Lambda with VPC and DynamoDB: DynamoDB is accessible via a Gateway Endpoint (free) or via internet through NAT. The exam may ask which is more cost-effective.
Lambda@Edge and VPC: Lambda@Edge cannot be in a VPC. This is a common trick question.
How to Eliminate Wrong Answers
If the question involves Lambda accessing a private RDS, the answer must include Lambda being in the same VPC. Eliminate any option that does not mention VPC configuration.
If the question involves Lambda accessing the internet, look for NAT Gateway or VPC endpoints. Eliminate options that say "assign a public IP" or "use an Internet Gateway directly on the function."
If the question involves slow cold starts, look for Provisioned Concurrency as a solution. Eliminate options that suggest increasing memory (which helps compute, not network).
If the question involves IAM errors, look for missing EC2 permissions. The managed policy AWSLambdaVPCAccessExecutionRole is the typical fix.
Lambda in a VPC loses internet access by default; you must add a NAT Gateway or VPC endpoints to restore outbound connectivity.
Lambda uses Elastic Network Interfaces (ENIs) with private IPs from your subnet; each ENI supports up to 1,000 concurrent executions.
Cold starts for VPC-attached Lambda are significantly slower (5-10 seconds extra) due to ENI provisioning time.
The Lambda execution role must have ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface, and ec2:AssignPrivateIpAddresses permissions.
You can specify up to 16 subnets and 5 security groups in the VPC configuration.
To access RDS, ElastiCache, or other private resources, Lambda must be in the same VPC.
VPC endpoints (Gateway for S3/DynamoDB, Interface for other services) provide private access to AWS services without internet.
Lambda@Edge does not support VPC configuration; it runs at CloudFront edge locations.
Provisioned Concurrency can mitigate cold starts for VPC Lambda by keeping execution environments warm.
Security group inbound rules have no effect on Lambda functions; only outbound rules control traffic.
These come up on the exam all the time. Here's how to tell them apart.
Lambda in VPC (Private Subnet)
Has a private IP from your VPC subnet.
No default internet access; requires NAT Gateway or VPC endpoints.
Can access resources in the same VPC (RDS, ElastiCache, etc.).
Cold starts are slower due to ENI creation (5-10 seconds extra).
Requires IAM permissions for EC2 actions (CreateNetworkInterface, etc.).
Lambda outside VPC (Default)
Runs in an AWS-managed VPC with a public IP (not customer-controlled).
Has full internet access by default.
Cannot access resources in your VPC unless they are publicly exposed.
Cold starts are faster (no ENI provisioning).
No special IAM permissions needed for networking.
NAT Gateway
Provides outbound internet access for private subnets.
Has an hourly cost ($0.045/hour) plus data processing fees.
Works for all internet destinations.
Requires an Elastic IP and placement in a public subnet.
Cannot be used for inbound connections from the internet.
VPC Endpoint (Gateway/Interface)
Provides private access to AWS services without internet.
Gateway Endpoints are free; Interface Endpoints have hourly costs.
Only works for specific AWS services (S3, DynamoDB for Gateway; many others for Interface).
Uses AWS PrivateLink technology; traffic stays within AWS network.
Can be used for both inbound and outbound access to the service.
Mistake
Lambda in a VPC can reach the internet by default.
Correct
No. When you attach a Lambda function to a VPC, it loses internet access. You must explicitly provide outbound connectivity via a NAT Gateway, NAT instance, or VPC endpoints. The function only has a private IP and cannot be reached from the internet.
Mistake
Lambda functions in a VPC get a public IP address.
Correct
Lambda functions never get public IPs. They use Elastic Network Interfaces with private IPs from the VPC subnet. To access the internet, traffic must be routed through a NAT Gateway that has an Elastic IP.
Mistake
You can attach a Lambda function to multiple VPCs.
Correct
A Lambda function can only be attached to a single VPC at a time. You specify subnets and security groups from one VPC. To access resources in another VPC, use VPC peering, Transit Gateway, or VPC endpoints.
Mistake
Lambda in a VPC eliminates cold starts.
Correct
Lambda in a VPC actually increases cold start latency because ENI creation takes extra time (30-90 seconds). Provisioned Concurrency can mitigate this, but it does not eliminate cold starts entirely.
Mistake
Security group inbound rules control traffic to the Lambda function.
Correct
Lambda functions cannot receive inbound network connections. They are invoked by AWS services (e.g., API Gateway, S3) via the Lambda API. Security group inbound rules have no effect; only outbound rules matter.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
When you attach a Lambda function to a VPC, it loses its default internet access. The function's ENI is placed in a private subnet, which typically has no route to an internet gateway. To restore outbound internet access, you must add a NAT Gateway in a public subnet and update the private subnet's route table to point 0.0.0.0/0 to the NAT Gateway. Alternatively, for AWS services, use VPC endpoints. Without this, any outbound internet requests will time out.
No. Lambda functions cannot have public IP addresses. They are assigned private IPs from your VPC subnet via an Elastic Network Interface. To allow the function to be reachable from the internet, you would need to use an API Gateway or Application Load Balancer in front of the Lambda, not a public IP on the function itself.
Cold starts for VPC Lambda are primarily caused by ENI creation. To reduce them, you can use Provisioned Concurrency, which keeps a specified number of execution environments initialized and ready to respond. This eliminates the cold start for requests within the provisioned concurrency limit. Additionally, you can increase the function's memory (which also increases CPU) to speed up initialization, but the main gain comes from Provisioned Concurrency.
The Lambda function's execution role must include permissions to create, describe, and delete Elastic Network Interfaces. Specifically, you need ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface, and ec2:AssignPrivateIpAddresses. AWS provides a managed policy called AWSLambdaVPCAccessExecutionRole that includes these permissions. Without these, the function will fail with an 'EC2 access denied' error when invoked.
No. Lambda functions can only be attached to a VPC in the same AWS account and region. To access resources in a different account's VPC, you can use VPC peering, Transit Gateway, or AWS PrivateLink, but the Lambda function itself must be in its own account's VPC.
Gateway VPC Endpoints are free and only support Amazon S3 and DynamoDB. They work by adding a prefix list route in your route table. Interface VPC Endpoints (powered by AWS PrivateLink) incur hourly charges and support many AWS services (e.g., SQS, SNS, Kinesis, CloudWatch). For Lambda functions in a VPC, if you need to access S3 or DynamoDB, use a Gateway Endpoint. For other services, use an Interface Endpoint.
Yes, but with limitations. Lambda functions can be configured with dual-stack subnets (IPv4 and IPv6). However, the ENI will only get an IPv4 address by default. To use IPv6, you must assign an IPv6 address to the ENI via custom networking. Additionally, NAT Gateways do not support IPv6; for outbound IPv6 traffic, you need an egress-only internet gateway. The exam rarely tests IPv6 details.
You've just covered Lambda in VPC: Network Configuration — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?