Why my lambda inside vpc can be accessed by lambda from outside vpc?

Question

I have created a VPC in AWS. It is a private network and no one from internet has access to this VPC. Then I put my lambda inside this VPC. After that, I found I can invoke my lambda from another lambda outside VPC. And I can also invoke the lambda from my local laptop.

Is this intended?

Answer 1

Yes, because you invoke lambda by connecting to AWS public endpoint for the AWS lambda. Thus as long as your laptop and the function outside of the VPC have internet connection and permissions to invoke your function in the VPC, you will be able to invoke it.

"Placing" a lambda function into VPC does not make it "private". Instead, it allows your function to access private resources in the VPC, such as database in RDS.

Answer 2

Lambda functions are not placed "into" a VPC. Rather, they connect to a VPC via an Elastic Network Interface (ENI).

The AWS Lambda service itself runs outside of the VPC (in containers on AWS servers). To invoke an AWS Lambda function, you send an API request to the AWS Lambda service, and the endpoint for that API is on the public Internet. However, when the Lambda function runs, it is connected to the VPC and is not connected to the Internet.

It is similar to Amazon EC2 - you can request an EC2 instance from the Amazon EC2 Service that is accessible on the Internet, but the EC2 instance itself only communicates with a VPC.