Confusion of AWS Lambda inside VPC vs outside VPC

Question

I have some EC2 servers running in private subnet of my vpc. I had to do some operational task on these EC2 like for eg, add a particular tag to these EC2 server, or attach IAM instance profile to the servers.

For this I wrote a lambda to this task and ran it. It was successful. I am just curious, how my lambda (which is not in my vpc) is able to view resources inside private subnet of my vpc and do the task.

I read in the docs that to connect to resources in our private subnet we need to connect lambda to our vpc. But in this case i am able to do operation on my private EC2 with lambda without connecting it to my vpc.

I am confused.

Answer 1

Things like updating tags and attaching IAM profiles are done through the AWS API. The AWS API isn't in your VPC network, it's on the public Internet. The Lambda function is able to do these things the same way you are able to do those things on your personal laptop without needing a VPN connection to your VPC.

The things that require a Lambda function to run in a VPC are things that require a direct network connection to be established with the servers running in the VPC, for example SSH connections to EC2 servers or database connections to RDS servers.

Answer 2

VPC is a networking component and only mandatory for lambda if it needs to access the OS over ssh, RDP, or interacting APIs/HTTP(s) endpoints on EC2

In this case, your lambda function only deals with AWS API using AWS STS ( generate token after validating IAM permissions) to modify tags only, and AWS APIs are publicly accessible , you just need the right IAM role or access pairs to interact with.

Answer 3

There are two different categories of accessing EC2 instances: accessing the instance via API calls vs accessing the instance via a network connection to the locally installed OS. What you are describing above (tagging, DescribeInstances, etc) are operations that invoke the AWS API to perform actions on the instances. These types of actions aren't explicitly tied to a VPC, as they are invoked via the public AWS management plane using credentials for your specific account. This is contrasted with a lambda function that would, for instance, connect to a running service on an EC2 instance by binding to an open network port. This type of action on a private VPC would require that your lambda was bound to that particular VPC and the VPC would require lambda endpoints to be created.