SQS Interface Endpoint in CDK

Question

Working with AWS-CDK. I had to move my Lambda that writes to SQS inside a VPC. I added the Interface Gateway to allow for direct connection from VPC to SQS with:

props.vpc.addInterfaceEndpoint('sqs-gateway', {
  service: InterfaceVpcEndpointAwsService.SQS,
  subnets: {
    subnetType: SubnetType.PRIVATE,
  },
})

the Lambda is deployed to that same VPC (to the same private subnet by default) and I pass the QUEUE_URL as env parameter as I did without the VPC:

const ingestLambda = new lambda.Function(this, 'TTPIngestFunction', {
      ...
  environment: {
    QUEUE_URL: queue.queueUrl,
  },
  vpc: props.vpc,
})

and the Lambda code sends messages simply with:

const sqs = new AWS.SQS({ region: process.env.AWS_REGION })

return sqs
  .sendMessageBatch({
    QueueUrl: process.env.QUEUE_URL as string,
    Entries: entries,
  })
  .promise()

without the VPC, this sending works but now the Lambda just timeouts to the sending of SQS messages. What am I missing here?

Answer 1

By default, interface VPC endpoints create a new security group and traffic is not automatically allowed from the VPC CIDR.

You can do as follows if you want to allow traffic from your Lambda:

const sqsEndpoint = props.vpc.addInterfaceEndpoint('sqs-gateway', {
  service: InterfaceVpcEndpointAwsService.SQS,
});

sqsEndpoint.connections.allowDefaultPortFrom(ingestLambda);

Alternatively, you can allow all traffic:

sqsEndpoint.connections.allowDefaultPortFromAnyIpv4();

This default behavior is currently under discussion in https://github.com/aws/aws-cdk/pull/4938.