AWS Certified SysOps Administrator – Associate — Question 280

A company has an application that uses a scheduled AWS Lambda function to retrieve datasets from external sources over the internet. The function is not associated with a VPC. The company is modifying the application to store the information that the Lambda function retrieves on an Amazon RDS DB instance in a private subnet. The VPC has two public subnets and two private subnets.

A SysOps administrator must deploy a solution that allows the Lambda function to access the new database and continue to access the internet.

Which solution meets these requirements?

Answer options

• A. Create a new Lambda function with VPC access and an Elastic IP address. Attach the function to public subnets in two Availability Zones. Associate a security group with the Elastic IP address. Configure the security group outbound rules to allow Lambda to access the required resources.
• B. Create a new Lambda function with VPC access and two public IP addresses. Attach the function to public subnets in the same Availability Zones that the database uses. Associate a security group with the function. Configure the security group inbound rules to allow Lambda to access the required resources.
• C. Reconfigure the Lambda function for VPC access. Add NAT gateways to the public subnets in the VPAdd route table entries in the private subnets to route through the NAT gateways to the internet. Attach the function to the private subnets that support the database. Associate a security group with the function. Configure the security group outbound rules to allow Lambda to access the internet.
• D. Reconfigure the Lambda function for VPC access. Attach the function to the private subnets. Add route table entries in the private subnets to route through the internet gateway to the internet. Associate a security group with the subnets. Configure the security group inbound rules to allow Lambda to access the required resources through the internet gateway.

Correct answer: C

Explanation

To allow an AWS Lambda function to access both private VPC resources (like an RDS instance in a private subnet) and the public internet, the Lambda function must be associated with the private subnets. Outbound internet traffic from these private subnets must then be routed through a NAT gateway deployed in a public subnet. Placing Lambda in public subnets directly does not grant it internet access because Lambda functions do not get assigned public IP addresses, and routing private subnets directly to an Internet Gateway is invalid.