Skip to main content

Adding to VPC

Marketplace Central S3, Lambda, and DynamoDB components like any other application via VPC Endpoints.

New VPC

  • 1 VPC, e.g. 10.0.0.0/16
  • At least 2 public and 2 private subnets across 2 AZs
  • Internet Gateway attached
  • NAT Gateway(s) in public subnets
  • Route tables:
    • Public subnets → 0.0.0.0/0 via IGW
    • Private subnets → 0.0.0.0/0 via NAT

Attach Marketplace Central Lambdas to the VPC

For each Lambda that should live “inside the VPC”:

IAM for VPC attachment

Add the managed policy AWSLambdaVPCAccessExecutionRole to the Lambda execution role so Lambda can create Hyperplane ENIs

Attach Data

  • Interface endpoints (AWS PrivateLink) for:
    • com.amazonaws.<region>.dynamodb
    • ...sts
    • ...logs (if you want private delivery to CloudWatch Logs)
    • ...secretsmanager / ...ssm / ...lambda as needed AWS Documentation+1

Attach security groups that allow inbound from sg-marketplacecentral-lambda (or ECS SG) on 443.