Question:
I have set up a VPC with 3 subnets, this to have access to a private RDS instance from my Lambda functions. The RDS <-> Lambda connection works fine, however now I’m not able to publish to SNS.
I found the announcement of VPC Endpoint support for SNS (incl. this blog post https://aws.amazon.com/blogs/security/securing-messages-published-to-amazon-sns-with-aws-privatelink/) and have added a VPC Endpoint Interface with these properties:
|
1 2 3 4 5 |
Service name: com.amazonaws.eu-west-1.sns VPC: same as Lambda functions and other services Subnets: all included in my VPC (have also tested toggling them individually) Security Groups: all VPC security groups selected |
All the services are in the eu-west-1 region. I know the code that publish to SNS is correct, as it works when run in a non-VPC environment. The ARN I’m publishing to has remained unchanged: arn:aws:sns:eu-west-1:962446592636:whatever.
I’m aware that a NAT server could be set up to avoid this issue, but I’d prefer to use VPC Endpoints if possible to reduce costs.
Answer:
It works for me!
I did the following:
- Created an Amazon SNS topic and subscribed to it
- Created an AWS Lambda function with no VPC configuration, which sends a message to the SNS topic
- Tested the Lambda function — message received
- Created a VPC with a two private subnets
- Created a Service Endpoint for SNS in the private subnets, with a Security Group allowing All TCP from
0.0.0.0/0(for testing purposes) - Modified the Lambda function to use the private subnets
- Tested the Lambda function — message received
So, everything worked fine. I didn’t have to modify any Lambda code.
My Lambda code:
|
1 2 3 4 5 6 7 8 9 10 11 |
def lambda_handler(event, context): import boto3 client = boto3.client('sns', region_name='ap-southeast-2') response = client.publish( TopicArn='arn:aws:sns:ap-southeast-2:123456789012:stack', Message='From Lambda' ) return |