How Lambda Accesses DynamoDB From Inside The VPC | Overview.

How Lambda Accesses DynamoDB From Inside The VPC - Overview.

Scope:

• Background Context,
• Step-by-Step on How Lambda Accesses DynamoDB (Lambda without VPC),
• Step-by-Step on How Lambda Accesses DynamoDB (Lambda inside the VPC),
• Option 1: Use a DynamoDB Gateway VPC Endpoint (Architecture),
• How DynamoDB Gateway VPC Endpoint works,
• Benefits of DynamoDB Gateway VPC Endpoint,
• Drawbacks (limitations) of NAT Gateway (Legacy or Mixed Setup),
• Option 2: Use a NAT Gateway (Legacy or Mixed Setup),
• Design of What Actually Happens Under the Hood (Components & Descriptions),
• Security Best Practices,
• Sample Policy that allows the dynamodb table to be accessed by Lamda,
• Architecture Summary (components, Types & Purposes),
• twtech key Takeaway.

Background Context

• By default, AWS Lambda runs outside the VPC, in an AWS-managed environment.
•  When twtech configures a Lambda to connect to twtech VPC, it gets Elastic Network Interfaces (ENIs) placed into twtech specified VPC subnets.
• Then, these ENIs give Lambda access to:
•  Private subnets (e.g., for databases, EC2, RDS, internal APIs)
•  Any service reachable via VPC networking (including VPC Endpoints)

NB:

• When a Lambda is in a VPC, it loses its default internet access unless twtech explicitly give it the access to internet (via a NAT Gateway, or an endpoint).

 Step-by-Step on How Lambda Accesses DynamoDB (Lambda outside VPC)

1. Lambda outside VPC

If twtech Lambda is NOT connect to a VPC:

• It runs in AWS’s managed network.
• DynamoDB (a public AWS service) is accessible directly via the AWS public network backbone.
• No configuration needed.
• Fast and simple.

NB:

• Recommended when twtech Lambda doesn’t need to access private subnets.

2. Step-by-Step on How Lambda Accesses DynamoDB (Lambda inside a VPC)

• When twtech attaches its Lambda to a VPC, it runs inside its subnets — and loses direct access to public endpoints, including dynamodb.amazonaws.com.
• So, by default, DynamoDB requests will fail unless twtech provides a private route.

NB:

• twtech have 2 main options to restore that access privately and securely:

 Option 1: Use a DynamoDB Gateway VPC Endpoint (Architecture)

 How DynamoDB Gateway VPC Endpoint works

•  Create a Gateway VPC Endpoint for DynamoDB.
•  Update twech private subnet route table with a route:

Destination: dynamodb.us-east-2.amazonaws.com

Target: vpce-<gateway-id>

• Lambda’s ENIs use that route to reach DynamoDB privately — no NAT Gateway or Internet Gateway required.
• All traffic stays on the AWS internal network.

Benefits of DynamoDB Gateway VPC Endpoint

• Private: No public internet involved.
• Free: No per-hour or per-GB endpoint costs.
• High throughput: No ENI bandwidth bottlenecks.
• Simpler: No NAT Gateway setup or IP management.
• Secure: Can restrict DynamoDB table access to “only via this VPC endpoint” using IAM and endpoint policies.

 Considerations

• Gateway Endpoints only support S3 and DynamoDB.
•  Must be in same region as the service.

NB:

•  This is the BEST PRACTICE for Lambda in a VPC accessing DynamoDB.

 Option 2: Use a NAT Gateway (Legacy or Mixed Setup)

If twtech doesn’t use a Gateway Endpoint, it can:

•  Place a NAT Gateway in a public subnet.
•  Route outbound traffic from your Lambda’s private subnet through the NAT Gateway.
•  The NAT Gateway provides access to DynamoDB’s public endpoint (dynamodb.amazonaws.com).

Drawbacks (limitations) of NAT Gateway (Legacy or Mixed Setup)

• Extra cost (NAT Gateway hourly + data transfer).
• Extra latency (outbound to NAT → public AWS endpoint).
• Less secure (public endpoint access).
• No need unless twtech must reach public APIs beyond DynamoDB.

NB:

• Use only if you can’t deploy a Gateway Endpoint (e.g., compliance restrictions, custom network control).

 Design of What Actually Happens Under the Hood (Components & Descriptions)

Component	Description
Lambda ENI	Created in each subnet when the Lambda cold-starts; connects Lambda runtime to your VPC.
ENI IP Address	Used for outbound connections. Private subnet + route table determines path.
Route Table	Controls whether traffic to dynamodb.amazonaws.com goes to the Gateway Endpoint or to a NAT Gateway.
IAM Role (Lambda Execution Role)	Must have dynamodb:* permissions for access.
VPC Endpoint Policy	Can restrict which DynamoDB actions or tables can be used via this endpoint.
AWS Backbone Routing	Ensures data never leaves AWS infrastructure.

 Security Best Practices

     1. Always use Gateway VPC Endpoint for DynamoDB access from private subnets.
2. Add VPC Endpoint Policy to restrict table or action-level access.
3. Use Lambda IAM Roles with least-privilege permissions.
4. Enable CloudWatch VPC Flow Logs to monitor endpoint access.
5. Enable DynamoDB Encryption and consider AWS KMS for compliance.

 

# Sample Policy that allows the dynamodb table to be accessed by Lamda

# json

{

  "Statement": [

    {

      "Principal": "*",

      "Effect": "Allow",

           "Action": "dynamodb:*",

      "Resource": "arn:aws:dynamodb:us-east-2:accountID:table/twtechTable"

    }

  ]

}

 Architecture Summary (components, Types & Purposes)

Component	Type	Purpose
Lambda Function	Private subnet (no Internet access)	Executes logic
Route Table	Entry for DynamoDB endpoint	Routes private requests
Gateway VPC Endpoint	For DynamoDB	Enables private access
DynamoDB Table	Regional AWS service	Stores data
IAM Role + Policy	Scoped permissions	Secures access

twtech key Takeaway

•  Use a DynamoDB Gateway Endpoint For a Lambda function inside a VPC that needs to access DynamoDB.

This approach ensures:

•   Private connectivity has no public internet access.
•   There is Zero cost for endpoint usage,
•   There is High performance & scalability.
•   There is Simplified management.