The lab was made complicated by creating the lambda function inside a VPC. We suddenly had to manage security groups and add a VPC endpoint in order to communicate with Secrets Manager. On the other hand, if we run the lambda function outside a VPC, it conveniently communicates with both Secrets Manager and the RDS database saving us several configuration steps. I tried it and it worked. Hence, did the lab deliberately choose the hard way in order to educate us about communicating with Secrets Manager from within a VPC? And why couldn’t the lambda function reach Secrets Manager via the internet gateway route?
Update: Instead of using a VPC endpoint, I connected the lambda function to Secrets Manager using a private subnet and a NAT gateway and it worked. However, connecting with a public subnet and an internet gateway doesn’t work. Is this normal and expected with lambda functions?
Note: I understand that using VPC endpoints is more secure since we stay in the AWS network and we don’t travel to the internet. However, my question above is intended for educational purposes only.