Why can my lambda function not access S3 and SQS when an EC2 instance in the same VPC can?

Question

I have the following resources provisioned in AWS:

1. A VPC (the default VPC for my AWS region) with 3 subnets and an internet gateway
2. An EC2 instance in the VPC with an elastic IP attached, and a NodeJS application server running
3. A RDS instance in the VPC
4. A Lambda function configured to run in the VPC (because it needs to access RDS)
5. An S3 bucket
6. An SQS queue

The application server running on my EC2 instance is able to connect to S3 and SQS using the AWS SDK for NodeJS. All I had to do was specify the S3 bucket's name and SQS queue's url.

However, my lambda function was unable to do the same until I set up a VPC Gateway Endpoint for S3, and a VPC Interface Endpoint for SQS. This despite the lambda function having internet access - I was able to retrieve a file on the internet in a test run of the lambda function.

What was preventing the lambda function from accessing S3 and SQS until the VPC endpoints were created?

Answer 1

default VPC for my AWS region

The default VPC has all its subnets public. Lambda does not have internet access, even if you place it in such a subnet. Thus it can't access S3 nor anything else.

To enable internet access for your lambda, it must be placed in private subnet and use NAT to access the internet, as explained in AWS docs.

Alternatively, you have to create VPC interface endpoints for S3 and SQS. This way your lambda will use the VPC endpoints to access these services, rather then trying to do it using internet.