How does Lambda within subnet access VPC endpoint?

Question

I have a lambda function within a VPC that rotates rds password. When I test lambda function with secret manager vpc endpoint as following:

• Case 1. Lambda in public subnet - VPC endpoint attach with public subnet => Rotation is OK
• Case 2. Lambda in private subnet - VPC endpoint attach with public subnet => Rotation is OK although cloudwatch has one error.
• Case 3. Lambda in public subnet - VPC endpoint attach with private subnet => Rotation is failed because timeout of lambda function
• Case 4. Lambda in private subnet - VPC endpoint attach with private subnet => Rotation is OK

I know I should not put the lambda function into public subnet but I want to know how lambda function within subnet works with vpc endpoint.

Can anyone explains why Case 2 is OK although lambda and vpc endpoint are in different subnets.

Answer 1

why Case 2 is OK

VPC interface endpoints have vpc scope, not subnet scope. This explains why cases 2,1 and 4 work. Because of that, case 3 should also work. Thus, the question is why case 3 did not work?

Possible reasons are that in your tests you made some configuration mistake (wrong security group, for example), or put lambda in a wrong VPC, did not enable Private DNS for the endpoint. Thus I would recommend double checking all the configurations for Case 3 and re-run the experiment.