Serverless vpc breaks Secrets Manager


#1

Working on that sample https://github.com/didierfranc/serverless-sample

To enable elasticache in serverless I need to add vpc to my serverless.yml (securitygroup and subnets)
The problem is when I add that lines to the serverless.yml secretsmanager doesnt work anymore

Any idea ?


#2

can .you show us the codes you deployed, and what’s the error you got?


#3

The secrets manager uses a public endpoint and requires internet access. When you add your lambda to a private subnet within a VPC (not routing through an IGW) you will be unable to connect to the internet and also the secrets manager.

The easy [though expensive] fix is to add a managed NAT Gateway instance which will provide internet access to lambdas in your private subnet and protect your lambas from incoming requests from outside the network.

The cheaper solution is to setup your own NAT Gateway using the preconfigured AWS NAT AMI and this can be installed on any size EC2 instance you want.

Other solutions may involve not using private subnets and using network ACLs and security groups to protect access to / from your resources while maintaining internet access.

(I’m mostly guessing that this is the issue you were facing due to the limited information)