Make Lambda access EC2 port through a VPC

Question

I'm not really sure where to start here because i'm not very experienced on this topic. I have a Lambda API and some resources on a EC2 Instance. I want to protect these resource on EC2 in a way it is only accessed by the Lambda.

For that to happen I added the Lamdba to the VPC (I added a role to Lambda so that it could access the VPC), added the lambda to the Security Group and set the VPC subnet addresses to the lambda as well.

I have 2 problems now:

1- How do I open this port on the EC2? I ask that because when I set the Inbound rule, this port becomes open to the external world. Is that open by default, all ports?

2- What address should I use to connect to the EC2 from my Lambda? Because currently I'm using the public addresses (DNS that ends like amazonws.com, but that's certainly wrong, first because the Lambda loses internet connection when we add them to VPCs and because I did not add this port to the Inbound rules.

Could someone lend a hand?

Answer 1

Best practice would be to assign your Lambda function to a different security group than the EC2 instance. No inbound rules needed in the Lambda function's security group.

In the EC2 function's security group you would open the port, with the source as the Lambda function's security group ID. This means that only resources that belong to the Lambda function's security group can access the EC2 instance on the specified port.

Finally, in your Lambda function, access the EC2 instance using its private IP or private DNS name.