Hi Alex, thank you for the great article!
I have a question for the following scenario:
if I have a lambda that should access an external application through the internet (nat gateway -> internet gateway) but also have access to internal AWS services through VPC endpoint, how does the lambda knows that it should goes to internet only for the external application?
Is that possible to configure something like that on AWS?

Hey Thiago!

Glad you liked it. Good question. If you have DNS hostnames and resolution configured for your VPC, then AWS will automatically set up a private hosted zone for you that resolves the standard hostnames to the private endpoints. More details here: https://docs.aws.amazon.com...

Hey Alex, got it!
Thank you again for the great info :)

Hey Alex!

This is a great post. But the statement "hosting a Lambda function inside a VPC" seems misleading right? This is meaning like having the lambda function executed within VPC (at least for me). Not just this one, but many blog posts I saw the statements like "Using Lambda within VPC". The announcement post you quoted, highlights that the lambda function indeed runs in the service owned VPC and with the help of ENI only the tunnel would be created to access customer VPC resources. Please correct me if I am wrong.
- Prasanna

This is great, though it would have been better if you could provide instructions on how to setup a Gateway endpoint. Your example interface endpoint cannot be used for a gateway when using e.g. S3, as properties like SubnetIds are interface only (see https://docs.aws.amazon.com....

We had this problem at usebubbles.com where we're attaching EFS to Lambda to support unlimited video file sizes.

When using a gateway endpoint, you'll have to set RouteTableIds, and since the default route table cannot be accessed from cloudformation, you'll also have to create a custom route table, and create `AWS::EC2::SubnetRouteTableAssociation`s to connect the route table with each subnet.

Yep for sure. I went went interface endpoint because it supports more services than gateway endpoints.

Were you able to use a gateway endpoint for EFS? I thought it was S3 & DynamoDB only?

Also, usebubbles.com looks sweet!

Got it! EFS seems to be a completely different beast, which always needs to be in a VPC, and connects to Lambdas using the `FileSystemConfigs` lambda prop and by creating `AWS::EFS::MountTarget`s connecting the file systems with each subnet.

Since EFS forced us to use a VPC, we also needed to set an S3 gateway endpoint as our Lambda was using S3. I've described this in more detail as well as the EFS setup in this walkthrough-
https://app.usebubbles.com/...

Thanks for the kind words re usebubbles.com :)

Ahh, that makes sense on needing the S3 endpoint then. Interesting! Will see if I can throw an example together at some point.

Looking forward to it :)