A company has an AWS account used for software engineering. The AWS account has access to the company’s on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic routes to the virtual private gateway.
A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company’s data center.
Which solution will meet these requirements?
To allow an AWS Lambda function to access a database running in a private subnet of an on-premises data center connected via AWS Direct Connect, the Lambda function must be configured to run within the Virtual Private Cloud (VPC) associated with the on-premises network. By configuring the Lambda function to run in the VPC, you can also assign it to the appropriate subnets and security groups, which will enable secure communication with the database in the private subnet. Other options either add unnecessary complexity or do not provide the means for the Lambda function to securely access the on-premises database.
To configure a VPC for an existing function: 1. Open the Functions page of the Lambda console. 2. Choose a function. 3. Choose Configuration and then choose VPC. 4. Under VPC, choose Edit. 5. Choose a VPC, subnets, and security groups. <-- **That's why I believe the answer is A**. Note: If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.
The question says on-prem database...how do we create a SG for that instance in AWS? C make sense. my 2 cents..
A is correct. To configure SG for Lambda , go to Lambda function -> Configure -> Edit VPC and scroll down to see "security groups" where you can configure Lambda for VPC. Also see here https://repost.aws/questions/QUSaj1a6jBQ92Kp56klbZFNw/aws-lambda-to-on-premise-via-direct-connect-and-aws-privatelink
SG is for Lambda and not for the on-prem database. A is the correct option
it is A. C is not correct at all as in the question it metions that the VPC already has connectivity with on-premises
C says to "update the route table" not create a new connection. C is correct.
No need to do route updates. This is because the route to the destination on-premises is already set.
C is wrong. Lambda can't connect by default to resources in a private VPC, so you have to do some specific setup steps to run in a private VPC, Answer A is correct
My answer is C. Refer to the steps in the link. need to configure the routing table to route traffic to the destination. https://aws.amazon.com/blogs/compute/running-aws-lambda-functions-on-aws-outposts-using-aws-iot-greengrass/ A is wrong as it says configure the lambda function in the VPC. the requirement to run in the database that is on-premise.
Every time I read this question the badly phrased options make no sense at all. I now want to vote for A but it makes no sense. Question says: All non-VPC traffic routes to the virtual private gateway So Lambda is technically a non VPC traffic too. This means it already goes through the VPGW but we don't know what it connects. Assuming it connect the data-centre to AWS then A makes sense. BUT all this is based on different interpretation now for me.
The wording is strange because technically, the Lambda function does not "run in the VPC", rather it is connected to the VPC, but otherwise A is what relevant documentation says - connect the Lambda function to the VPN and allow traffic in the security group. Not B, we have Direct Connect, no need for VPN. Not C, route is already in place. And route alone does not help - the "route tables in the VPC" are completely irrelevant as long as we don't connect the Lambda function to the VPC. Not D, an "Elastic IP address" is always connected to an "elastic network interface", such is created automatically with A.
I agree with explanation!
Option A: Configure the Lambda function to run in the VPC with the appropriate security group. This allows the Lambda function to access the database in the private subnet of the company's data center. By running the Lambda function in the VPC, it can communicate with resources in the private subnet securely. Option B is incorrect because setting up a VPN connection and routing the traffic from the Lambda function through the VPN would add unnecessary complexity and overhead. Option C is incorrect because updating the route tables in the VPC to allow access to the on-premises data center through Direct Connect would affect the entire VPC's routing, potentially exposing other resources to the on-premises network. Option D is incorrect because creating an Elastic IP address and sending traffic through it without an elastic network interface is not a valid configuration for accessing resources in a private subnet.
Answer A: During Lambda function creation select "Advanced Settings" select "Enable VPC", this will allow you to select VPC, Subnets and SecurityGroup for your Lambda function. This is the way Lambda can get controlled access to resouces in your VPC. Default Lambda Settings: When you create a Lambda function without specifying a VPC, the Lambda function does not get associated with any particular VPC. By default, Lambda functions are not deployed within a VPC and do not have access to resources within a VPC, such as EC2 instances, RDS databases, or Elasticache clusters, unless you explicitly configure the Lambda function to connect to a VPC.
Go to the Lambda console. Click the Functions tab. Select the Lambda function that you want to configure. Click the Configuration tab. In the Network section, select the VPC that you want the function to run in. In the Security groups section, select the security group that you want to allow the function to access the database subnet. Click the Save button.
it's not A: A Lambda function always runs inside a VPC owned by the Lambda service. https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html
The answer is C. The question is to allow lambda to access the database running in private subnet in the corporate data center. The only connectivity with the data center is Direct connect.
Answer C is correct: https://repost.aws/questions/QUSaj1a6jBQ92Kp56klbZFNw/aws-lambda-to-on-premise-via-direct-connect-and-aws-privatelink
Correct answer is A Lambda is available in the Region by default.. if you want to connect it to your private subnet or to on prem data center you must configure your Lambda with vpc.. C is wrong because there is no help adding routes to VPC without configuring your lambda to vpc.
C is correect as lambda already in VPC and AWS account already has connection setup with on-premise database in private subnet
B,C,D dont have any logic behind them. A is the most logical answer as you need to connect a function to a VPC. The VPC will be connected to the on-prem database.
Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect. By updating the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect, is the most appropriate solution. By updating the route tables, you can specify the route for traffic from the Lambda function to the IP address range of the on-premises data center via the Direct Connect connection. This ensures that the Lambda function can securely communicate with the database in the private subnet of the data center.
The question and options are very badly worded so it makes C a possible candidate (unconvincingly though!). B: VPN is not needed as Direct Connect is already there D: Irrelevant A is too generic (appropriate security group for what?) Lambda has fixed VPC or ENI C is logically relevant
A says "configure the Lambda function to RUN IN the VPC", but "a Lambda function ALWAYS runs inside a VPC owned by the Lambda service" (https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html). "You can configure a Lambda function to CONNECT TO private subnets in a virtual private cloud (VPC) in your AWS account", but "connect to" is not the same as "run in" (https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). Otherwise A would make sense (you CAN assign a security group to the Elastic Network Interface that Lambda uses to connect to your VPC).
B We already have Direct Connect, so why set up VPN C doesn't make sense because "all non-VPC traffic [already] routes to the virtual private gateway" (which is obviously connected to the Direct Connect gateway), so why should you "update the route tables"? D sounds plausible; however, an Elastic IP address is associated with an Elastic Network Interface (though that is automatically provided by AWS). So the "without an elastic network interface" makes D wrong. My best guess is that there's a typo or misunderstanding in the answers. It's either A but it should read "connect to the VPC" instead of "run in the VPC", or it's D but it should read "without CREATING an elastic network interface" or "WITH an elastic network interface".