AWS Lambda function can't invoke another Lambda function in the same VPC

Question

I created one VPC 10.5.0.0/16 with 2 subnets (10.5.1.0/24, 10.5.4.0/24).

I created a security security group:

Inbound rules:

Type Protocol   Port   range   Source      Description - optional
All  traffic    All    All    0.0.0.0/0    allowing traffic from same security group
All  traffic    All    All    ::/0         allowing traffic from same security group

Outbound rules:

Type Protocol   Port   range   Source      Description - optional
All  traffic    All    All    0.0.0.0/0    allowing traffic from same security group
All  traffic    All    All    ::/0         allowing traffic from same security group

Now I created 2 Lambda functions with proper IAM Role (which contains invoke policy). These 2 Lambda functions are in same VPC, subnets and security groups.

Case 1:

• I am able to invoke Lambda 2 from Lambda 1 successfully when the Lambda functions are not attached with VPC subnets and security groups

Case 2:

• I am not able to invoke Lambda 2 from Lambda 1 when these are in same VPC

I think I am missing something but i can't figure out it. Any suggestions?

Answer 1

i think iam missing something but i can't figure out it

Unfortunately, the only way to invoke lambda is through a public lambda service endpoint. Since lambda function in a VPC does not have internet access nor public IP, you can't invoke one lambda function from other one in VPC, without access to the internet. From docs:

Connecting a function to a public subnet does not give it internet access or a public IP address.

The fact that they are in the same VPC or even same subnet is irrelevant sadly.

To rectify the issue the invoking function must have access to the internet, since lambda service does not have VPC interface endpoint. This can be achieved by placing it in a private subnet and using NAT gateway/instance with correctly configured route tables to provide the access.

Answer 2

Lambdas inside VPC without a NAT gateway don't have internet access. Invoking lambda function requires the caller being able to connect to AWS APIs. This typically means that the caller needs to have internet access. While the exceptions are the services that support VPC endpoints, in this case, caller inside the VPC can connect to service APIs privately. Unfortunately, lambda isn't one of the services that support VPC endpoints.