For Lambda functions to access resources in a VPC, they need to be moved to the same VPC. This can be done from the Configuration tab of the Lambda function. There are few caveats to this:
- Lambdas can exist only in private subnets of the VPC.
- It is recommended that the Lambda runs in at least two or more availability zones for fault-tolerance.
- The VPC where the lambda functions are executed should have enough ENI pool size to cater to the ramped-up concurrent execution of the lambda.
- In our case, lambda should be able to call out to the KMS to be able to decode the environment variables. This traffic has to be routed over the internet and therefore there has to be a NAT gateway in the VPC. ...