Fermin Perdomo

Senior Full Stack Engineer | PHP | JavaScript

How to Securely Connect AWS Lambda to a Private API in a VPC

Fermin Perdomo
July 19, 2025

When building cloud-native applications, it's common to have a Lambda function that needs to interact with services hosted in a private subnet, such as an internal API running on EC2 or ECS. In this post, we’ll walk through the best-practice architecture to securely connect AWS Lambda to a private API—and answer common questions.

- Do I need a NAT Gateway?
- How do I configure route tables?
- What security group rules are required?

Let’s dive in.

Architecture Overview

• Lambda (inside a private subnet)
 • Internal API (e.g., EC2, ECS, or ALB, in another private subnet)
 • Private Subnets (for Lambda and API)
 • Public Subnet (optional, for NAT Gateway if internet access is needed)
 • Security Groups to control access
 • Route Tables to define network routing

Network Layout

VPC (10.0.0.0/16)
 │
 ├── Public Subnet (10.0.0.0/24)
 │   └── NAT Gateway + Internet Gateway
 │
 ├── Private Subnet A (10.0.1.0/24) — Lambda
 │
 └── Private Subnet B (10.0.2.0/24) — Internal API

Route Table Setup

RT-Lambda (Private Subnet A)


 | Destination | Target
 | 10.0.0.0/16 | local
 | 0.0.0.0/0 | NAT Gateway (only if internet access is needed)

RT-API (Private Subnet B)

 | Destination | Target
 | 10.0.0.0/16 | local

Security Group Configuration

Lambda Security Group (SG-Lambda)

• Outbound Rule: Allow traffic to the API security group on the API’s port (e.g., 443)

Internal API Security Group (SG-API)

• Inbound Rule: Allow traffic from SG-Lambda on the API port (e.g., 443)

Do I Need a NAT Gateway?

• Yes if your Lambda needs external access (external APIs, internet).
 • No if your Lambda only calls internal services within the same VPC.

Best Practices

• Use Security Group to Security Group rules instead of IPs for dynamic, secure access.
 • Avoid public IPs on private subnets.
 • Use AWS Secrets Manager for credentials.
 • Monitor using CloudWatch Logs and X-Ray.
 • Scale internal APIs with ALB + Auto Scaling Group or ECS.

Final Thoughts

By isolating your Lambda and API in private subnets and using scoped security groups, you’re ensuring a secure, reliable, and scalable architecture. AWS provides the flexibility needed to achieve this with minimal cost and maximum security.

Reactions

Loading reactions...
Log in to react to this post.

Comments

Please login to leave a comment.

Newsletter