Not able to send email from Lambda to SES from within a VPC

Question

I am trying to send email from Lambda to SES.

When I run Lambda in NO VPC mode then email is successfully sent.

But when I assign my VPC it doesn't work.

AWS has VPC endpoint to connect to S3. It same available for SES? Or it is not possible to do so?

Answer 1

In 2020 this is now possible by creating a VPC endpoint for SES (for the security group part just enable all traffic with the source being the security group the lambda belongs to).

However, as far as I can tell you cannot send mail using the SES API, you have to use SMTP. I set up my lambda as follows:

"use strict";
const nodemailer = require("nodemailer");
const transporter = nodemailer.createTransport({
    host: "email-smtp.YOURREGION.amazonaws.com",
    port: 465,
    secure: true,
    auth: {
      user: process.env.USER,
      pass: process.env.PASS,
    },
});

const SENDER = 'no-reply@domain.com';
const RECEIVER = 'to@domain.com';

const response = {
    "statusCode": 200,
    "headers": { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*'},
    "body": "{\"result\": \"Success.\"}"
};

const errResponse = {
    "statusCode": 500,
    "headers": {'Access-Control-Allow-Origin': '*'},
    "body": "{\"result\": \"Failed.\"}"
};

exports.handler = function (event, context, callback) {
    transporter.sendMail({
        from: SENDER,
        to: RECEIVER,
        subject: "Hello ✔",
        text: "Hello world?", // plain text body
        html: "<b>Hello world?</b>", // html body
    }, function(error, info) {
        if (error) {
            console.log(error);
            callback(errResponse, null);
        } else {
            console.log('Email sent: ' + info);
            callback(null, response);
        }
    });
};

Answer 2

The easiest solution for me in a similar situation was to use SNS to invoke another lambda that is not inside a VPC to call the SES service. You can create an endpoint for SNS and connect it to the VPC.

Answer 3

VPC Endpoint is only available for S3 currently, there is plans to roll it out to other services already in flight but not available yet.

As Mentioned the VPC your lambda attaches to must have a route to the internet to connect to SES, the security groups must also allow the traffic to the secure SMTP port.

Answer 4

It seems that the Lambda doesn't have Internet access. I'd confirm the Lambda subnet is associated with a route table that has a route to the internet (the SES endpoint is on the public internet) — 0.0.0.0 should point to a NAT gateway (or equivalent to outbound route to the internet).