AWS VPC Summary
Who should read this page
People who have learned what VPC-related services AWS has, but are not sure how those services work together to realize routing.
Important routes
(IP addresses are only for references.)
Route 1. EC2 Instance in Public Subnet → Internet (8.8.8.8)
EC2 Instance in Public Subnet
→ Security Group 1
→ Network ACL 1
→ Route Table 1 [8.8.8.8 is not in the local network, so the traffic is routed to Internet Gateway.]
→ Internet Gateway
→ Internet
Route 2. EC2 Instance in Private Subnet → Internet (8.8.8.8)
EC2 Instance in Private Subnet
→ Security Group 21
→ Network ACL 2
→ Route Table 2 [8.8.8.8 is not in the local network, so the traffic is routed to NAT Gateway.]
→ NAT Gateway
→ Network ACL 1
→ Route Table 1 [8.8.8.8 is not in the local network, so the traffic is routed to Internet Gateway.]
→ Internet Gateway
→ Internet
Route 3. EC2 Instance in Private Subnet → VPC Endpoint → Kinesis Data Streams
EC2 Instance in Private Subnet
→ Security Group 21
→ Security Group 22
→ VPC Endpoint with Policy
→ Security Group 22
→ Network ACL 2
→ Kinesis Data Streams
Route 4. EC2 Instance in Private Subnet → EC2 Instance in Public Subnet (172.31.0.10)
EC2 Instance in Private Subnet
→ Security Group 21
→ Network ACL 2
→ Route Table 2 [172.31.0.10 is in the local network.]
→ Network ACL 1
→ Security Group 1
→ EC2 Instance in Public Subnet
Use case (the real issue I faced)
I want my Lambda Function to access Kinesis Data Streams without going through the Internet. [Route B: Lambda Function → VPC Endpoint → KDS]
This corresponds to Route 3 explained above.
I set up all resources (including Lambda, KDS and VPC Endpoint) and confirm Lambda can access KDS. However, I find I forgot putting my Lambda Function into my VPC, meaning my Lambda Function was outside VPC and accessed KDS via Internet. [Route A: Lambda Function → Internet → KDS]
Then I put Lambda Function into the VPC and find that: Lambda Function failed to access Kinesis Data Streams and got terminated without any messages in CloudWatch Logs.
After some investigations, the cause was found. The Security Group of VPC Endpoint rejected the traffic. I also learned that Lambda can’t leave logs to CloudWatch Logs if executions are timed out.