Confusion of AWS Lambda inside VPC vs outside VPC

Question

I have some EC2 servers running in private subnet of my vpc. I had to do some operational task on these EC2 like for eg, add a particular tag to these EC2 server, or attach IAM instance profile to the servers.

For this I wrote a lambda to this task and ran it. It was successful. I am just curious, how my lambda (which is not in my vpc) is able to view resources inside private subnet of my vpc and do the task.

I read in the docs that to connect to resources in our private subnet we need to connect lambda to our vpc. But in this case i am able to do operation on my private EC2 with lambda without connecting it to my vpc.

I am confused.

Answer 1

VPC is a networking component and only mandatory for lambda if it needs to access the OS over ssh, RDP, or interacting APIs/HTTP(s) endpoints on EC2

In this case, your lambda function only deals with AWS API using AWS STS ( generate token after validating IAM permissions) to modify tags only, and AWS APIs are publicly accessible, you just need the right IAM role or access pairs to interact with.

Answer 2

Things like updating tags and attaching IAM profiles are done through the AWS API. The AWS API isn't in your VPC network, it's on the public Internet. The Lambda function is able to do these things the same way you are able to do those things on your personal laptop without needing a VPN connection to your VPC.

The things that require a Lambda function to run in a VPC are things that require a direct network connection to be established with the servers running in the VPC, for example SSH connections to EC2 servers or database connections to RDS servers.