Connecting inbound interface VPC endpoints for Lambda - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting inbound interface VPC endpoints for Lambda

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a connection between your VPC and Lambda. You can use this connection to invoke your Lambda function without crossing the public internet.

To establish a private connection between your VPC and Lambda, create an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, which enables you to privately access Lambda APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Lambda APIs. Traffic between your VPC and Lambda does not leave the Amazon network.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets. A network interface provides a private IP address that serves as an entry point for traffic to Lambda.

Considerations for Lambda interface endpoints

Before you set up an interface endpoint for Lambda, be sure to review Interface endpoint properties and limitations in the Amazon VPC User Guide.

You can call any of the Lambda API operations from your VPC. For example, you can invoke the Lambda function by calling the Invoke API from within your VPC. For the full list of Lambda APIs, see Actions in the Lambda API reference.

use1-az3 is a limited capacity Region for Lambda VPC functions. You shouldn't use subnets in this availability zone with your Lambda functions because this can result in reduced zonal redundancy in the event of an outage.

Keep-alive for persistent connections

Lambda purges idle connections over time, so you must use a keep-alive directive to maintain persistent connections. Attempting to reuse an idle connection when invoking a function results in a connection error. To maintain your persistent connection, use the keep-alive directive associated with your runtime. For an example, see Reusing Connections with Keep-Alive in Node.js in the Amazon SDK for JavaScript Developer Guide.

Billing Considerations

There is no additional cost to access a Lambda function through an interface endpoint. For more Lambda pricing information, see Amazon Lambda Pricing.

Standard pricing for Amazon PrivateLink applies to interface endpoints for Lambda. Your Amazon account is billed for every hour an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more interface endpoint pricing information, see Amazon PrivateLink pricing.

VPC Peering Considerations

You can connect other VPCs to the VPC with interface endpoints using VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your own two VPCs, or with a VPC in another Amazon account. The VPCs can also be in two different Amazon Regions.

Traffic between peered VPCs stays on the Amazon network and does not traverse the public internet. Once VPCs are peered, resources like Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) instances, or VPC-enabled Lambda functions in both VPCs can access the Lambda API through interface endpoints created in the one of the VPCs.

Creating an interface endpoint for Lambda

You can create an interface endpoint for Lambda using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

To create an interface endpoint for Lambda (console)
  1. Open the Endpoints page of the Amazon VPC console.

  2. Choose Create Endpoint.

  3. For Service category, verify that Amazon services is selected.

  4. For Service Name, choose com.amazonaws.region.lambda. Verify that the Type is Interface.

  5. Choose a VPC and subnets.

  6. To enable private DNS for the interface endpoint, select the Enable DNS Name check box. We recommend that you enable private DNS names for your VPC endpoints for Amazon Web Services. This ensures that requests that use the public service endpoints, such as requests made through an Amazon SDK, resolve to your VPC endpoint.

  7. For Security group, choose one or more security groups.

  8. Choose Create endpoint.

To use the private DNS option, you must set the enableDnsHostnames and enableDnsSupportattributes of your VPC. For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide. If you enable private DNS for the interface endpoint, you can make API requests to Lambda using its default DNS name for the Region, for example, For more service endpoints, see Service endpoints and quotas in the Amazon Web Services General Reference.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

For information about creating and configuring an endpoint using Amazon CloudFormation, see the AWS::EC2::VPCEndpoint resource in the Amazon CloudFormation User Guide.

To create an interface endpoint for Lambda (Amazon CLI)

Use the create-vpc-endpoint command and specify the VPC ID, VPC endpoint type (interface), service name, subnets that will use the endpoint, and security groups to associate with the endpoint's network interfaces. For example:

aws ec2 create-vpc-endpoint --vpc-id vpc-ec43eb89 --vpc-endpoint-type Interface --service-name \ --subnet-id subnet-abababab --security-group-id sg-1a2b3c4d

Creating an interface endpoint policy for Lambda

To control who can use your interface endpoint and which Lambda functions the user can access, you can attach an endpoint policy to your endpoint. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that the principal can perform.

  • The resources on which the principal can perform actions.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: Interface endpoint policy for Lambda actions

The following is an example of an endpoint policy for Lambda. When attached to an endpoint, this policy allows user MyUser to invoke the function my-function.


You need to include both the qualified and the unqualified function ARN in the resource.

{ "Statement":[ { "Principal": { "AWS": "arn:aws-cn:iam::111122223333:user/MyUser" }, "Effect":"Allow", "Action":[ "lambda:InvokeFunction" ], "Resource": [ "arn:aws-cn:lambda:us-east-2:123456789012:function:my-function", "arn:aws-cn:lambda:us-east-2:123456789012:function:my-function:*" ] } ] }