Question #1091
A developer is deploying an AWS Lambda function that requires connectivity to resources within a VPC's private subnets. Which approach minimizes operational complexity while ensuring secure access?
Attach the Lambda function to the VPC using private subnets. Create a security group allowing access to the private resources. Associate the security group with the Lambda function.
Configure the Lambda function to use a VPN connection to the VPC. Create a security group permitting traffic to the private resources. Attach the security group to the Lambda function.
Deploy a NAT gateway in a public subnet. Configure the Lambda function to route traffic through the NAT gateway and associate a security group allowing access to the resources.
Create an AWS PrivateLink interface endpoint for the VPC resources. Configure the Lambda function to communicate via the PrivateLink endpoint.
Explanation
Answer A is correct because attaching the Lambda function to the VPC's private subnets allows it to communicate directly with resources in the VPC. By associating a security group that permits access to the private resources, the solution maintains security while avoiding additional components like VPNs, NAT gateways, or PrivateLink. This approach leverages native VPC integration, reducing operational complexity.
Other options are incorrect because:
- B: VPNs are unnecessary for Lambda functions already attached to the VPC.
- C: NAT gateways are used for outbound internet access, not private subnet-to-subnet communication.
- D: PrivateLink is designed for cross-VPC or AWS service access, not intra-VPC connectivity.
Key Takeaway: Use VPC attachment and security groups for Lambda functions needing access to resources within the same VPC's private subnets.
Answer
The correct answer is: A