You are writing a Lambda function that fetches messages from an SQS queue, processes the messages and writes the results to a database.
The SQS queue and the Lambda function are deployed in the same AWS region.
However, when the Lambda function is configured in a VPC, it cannot read messages from the queue.
There is no such problem when the Lambda function is not within VPC.
How would you quickly resolve the issue?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Option A is incorrect: Because the SQS queue cannot be put in a VPC subnet.
Option B is incorrect: Because Amazon SQS does not have a security group.
Option C is CORRECT: Because with the VPC endpoint of Amazon SQS, the Lambda function can communicate with the SQS queue from the VPC, and the connection is not within the public internet.
Option D is incorrect: Because there is no such network configuration between the Lambda function and SQS queue.
The VPC endpoint should be used in this case.
Reference:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.htmlWhen a Lambda function is configured within a VPC, it is bound to the networking rules of the VPC, and thus it requires some additional configuration for accessing resources outside of the VPC, like the SQS queue in this case. Here are the options to quickly resolve the issue:
A. Configure the SQS queue in the same VPC subnet. If the SQS queue is configured in the same VPC subnet as the Lambda function, it can access the resources within that VPC without any additional configuration. Therefore, this option is a valid solution if you have already deployed the SQS queue within the same VPC subnet as the Lambda function.
B. Modify the SQS security group to allow incoming traffic from the Lambda function. When a Lambda function is deployed within a VPC, it is assigned to a security group that controls its incoming and outgoing traffic. Therefore, it is necessary to modify the security group of the SQS queue to allow incoming traffic from the Lambda function's security group. This option is valid if the SQS queue is deployed outside the VPC, and you don't want to move it to the VPC subnet.
C. Create the VPC endpoint for Amazon SQS and modify the Lambda function to use the endpoint. A VPC endpoint for Amazon SQS provides a private connection between the VPC and SQS without going through the internet. Therefore, creating a VPC endpoint for SQS can enable a Lambda function deployed within a VPC to access an SQS queue without the need for a NAT gateway. In this option, you would create a VPC endpoint for SQS and modify the Lambda function to use this endpoint.
D. Configure a direct connect link between the Lambda function and the SQS queue. This option is not practical as it requires you to set up a dedicated network link between the Lambda function and the SQS queue, which can be expensive and time-consuming.
Therefore, the best option to quickly resolve the issue is either A or B, depending on whether the SQS queue is deployed within or outside the VPC. If the SQS queue is outside the VPC, modifying the security group to allow incoming traffic from the Lambda function's security group is the better option. If the SQS queue is within the same VPC subnet, configuring the queue in the same VPC subnet as the Lambda function is the better option.