Question #1203
A company uses an AWS account connected to its on-premises data center via two AWS Direct Connect links. All non-VPC traffic is routed through a virtual private gateway. A development team deployed an AWS Lambda function via the console and needs it to access an on-premises file server hosted in a private subnet within the data center. Which solution meets these requirements?
Deploy the Lambda function within the VPC using a security group that permits access to the on-premises file server.
Establish a VPN connection between AWS and the data center. Route Lambda traffic through the VPN.
Assign an Elastic IP to the Lambda function and configure it to route traffic without an elastic network interface.
Modify the VPC route tables to enable Lambda traffic to reach the on-premises data center via Direct Connect.
Explanation
Answer A is correct because Lambda functions, by default, operate outside a VPC and cannot access on-premises resources via Direct Connect. Deploying the Lambda within the VPC enables it to use the VPC's route tables, which are configured to route on-premises traffic through the virtual private gateway (via Direct Connect). The security group must allow outbound access to the on-premises server's IP/port.
Other options are incorrect:
- B: A VPN is redundant since Direct Connect is already established.
- C: Lambda cannot be assigned an Elastic IP directly.
- D: Modifying VPC route tables alone is insufficient if Lambda is not deployed within the VPC.
Key Points:
1. Lambda outside a VPC cannot access on-premises resources via Direct Connect.
2. Deploying Lambda in a VPC allows it to leverage VPC routing (via Direct Connect).
3. Security groups must permit outbound traffic to the on-premises server.
Answer
The correct answer is: A